New Knowledge Pack Released (KP Plus 5.0)

Dragos Knowledge Pack Plus 5.0 (KP Plus 5.0) represents the first public release since shifting to our new quarterly and weekly release process. For more information on this, please refer to our earlier blog “Changing How We Release Knowledge Packs”. Registered customers interested in technical details around naming and content related to protocol support, characterizations, threat detections, and dashboards can read more in the Dragos Customer Portal. With this release, we’ve added coverage for vulnerabilities based on 12 new advisories associated with vendors including: WAGO, Mitsubishi Electric, Rockwell Automation, Moxa, and Hitachi Energy. We further updated coverage for vulnerabilities based on 175 advisories, impacting 80+ assets. Over 300 characterizations and 620 detections are included in KP Plus 5.0 for customers running Dragos Platform 2.2.x. Key highlights of this release are included below.

Characterizations

• Asset Identification by LLDP String – processes Link Layer Discovery Protocol (LLDP) System Description strings through an expanded set of logic rules to extract information on the hardware details and functional roles of assets across the network.

• CIP Hardware Analysis – enhancements to the extraction of vendor, model, firmware, and other asset identification information from CIP Identity records.

• CodeSys v3 Characterization – we now utilize the CODESYS V3 protocol to capture asset information including vendor, model, and firmware version. This asset information is being leveraged to identify threat detections and critical vulnerabilities related to the EVILSCHOLAR tool and the CHERNOVITE threat group.

• Siemens S7Comm Plus Characterizations – the S7Comm+ protocol is now used by the Dragos Platform to identify vendor, model, and firmware versions. Dragos is also collecting and mapping Siemens product family information based on observed MLFB values within the protocol to further enhance asset identification fidelity. This asset identification supports vulnerability identification for many Siemens ICS devices.

• DeltaV DOP Characterization Enhancements – improvements for identifying Emerson DeltaV assets have been added using the DeltaV DOP protocol. We can identify the vendor, model, and software version of Emerson devices passively and use this to detect vulnerabilities. We also track common events of interest like commissioning, decommissioning and DeltaV program downloads. The DOP protocol traffic is used to link primary and secondary network cards on DeltaV assets in order to merge them so they render correctly in network diagrams.

Detections

• ENIP CIP Unusual Lengths – further updates to the detection associated with CVE-2023-3595 and CVE-2023-3596, indicating a possible exploit of Rockwell Automation ControlLogix controllers.

• Siemens S7Comm+ Operational Events – added the ability for S7Comm+ operational events of interest to be monitored such as PLC starts and stops.

• Phoenix Contact ILC191 PLC Remote Reboot Detection – identifies when reboot commands are issued to a Phoenix Contact PLC.

• CODESYS V3 – event triggered on CODESYS V3 close channel request.

• Multiple Suricata Alerts on Host – detects multiple alerts fired on the same host within a specific timeframe. Although suspicious, this may not indicate malicious activity, and the individual signatures should provide context to make that determination.

• OMRON PLC NX1P2 Hardcoded Username – determines if the default TELNET username is hardcoded in the Omron NX1P2 device.

• SharpHound Composite Detection – four Suricata signatures associated with SharpHound originating from a single source. SharpHound is the data collector for BloodHound, a pentesting tool for Active Directory discovery.

• Windows Service Created with Unusual Source Directory – new service with an unusual application path created on a Windows host. The application is located outside of typical locations for services, often used to maintain persistence for malicious actors.

• IEC 104 – significant expansion of detection catalog for the IEC 60870-5-104 protocol. Dragos platform customers using KP Plus 5.0 now benefit from 25 new analytics that increase situational awareness of IEC 104 devices. This includes refinements to asset identification, specifically notifying operators when new Controlling or Controlled Stations are introduced to the network. Additionally, a full suite of anomaly detections are included for when devices operate out of character for the roles they are assigned. A few of these detections include out of specification addressing and command issues, process resets, response errors, unexpected time syncs, anomalous file transfers, and ELECTRUM-related command signatures.

• Godzilla Webshell Traffic Detection – analytic that detects Godzilla Webshell network traffic based on default parameters for the POST header’s User_Agent and the Accept_Lang attributes.

• DNP3 Rapid Point Detection – Enhanced the existing DNP3 Rapid Point detection by adding asset information to the alert produced this should better facilitate follow on response actions.

Dragos Platform customers receive regular updates through Knowledge Packs which include enhancements to threat detections, protocol support, asset visibility, and playbooks to equip customers with continuous improvements for their OT cybersecurity operations. Each Knowledge Pack contains the latest exclusive insight from Dragos intelligence teams, streamlining the detection of devices and potential malicious activity across industrial networks. To learn more about Dragos Knowledge Packs and how we continuously incorporate our industry-leading OT expertise into the Dragos Platform, we invite you to read this overview or contact sales@dragos.com.