SCADAfence

SCADAFence

The SCADAfence platform extends visibility into IT and OT networks. This collection of detection rules works with the SIEM (InsightIDR) SCADAFence integration.

SCADAFence - Admin Weak Authentication

Description

This detection identifies an administrator authenticating to a system with a weak password.

Recommendation

Ensure that strong passwords are being used, especially for administrative accounts, and adhere to defined password policies requirements for both length and complexity.

SCADAFence - Analysis And Correlation Service Is Not Functioning Properly

Description

This detection identifies that the analysis and correlation service is not functioning properly.

Recommendation

Verify the system is operating correctly.

SCADAFence - An Asset Reconnected To CC-link IE Network

Description

This detection identifies an asset reconnecting to a CC-link IE network.

Recommendation

Verify that this activity was authorized.

SCADAFence - Anomalous Ethernet Behavior

Description

This detection identifies when a host attempts to connect to several unknown ‘mac’ addresses.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Anomalous TCP Behavior

Description

This detection identifies hosts attempting to connect to unknown TCP endpoints.

Recommendation

Verify that this activity is authorized.

SCADAFence - Anomalous UDP Behavior

Description

This detection identifies hosts attempting to connect to unknown UDP endpoints.

Recommendation

Verify that this activity is authorized.

SCADAFence - API

Description

This detection identifies use of API that is user defined.

Recommendation

Verify that this behavior is authorized.

SCADAFence - ARP Man In The Middle Attack

Description

This detection identifies ARP based man-in-the-middle attacks.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Asset Changed OS Type Or Version

Description

This detection identifies when a host has changed operating system version or type.

Recommendation

Verify that this change was authorized.

SCADAFence - Bacnet Device Communication-Start Request Detected

Description

This detection identifies bacnet communication start requests being performed.

Recommendation

Verify that this activity was authorized.

SCADAFence - Bacnet Device Communication-Stop Request Detected

Description

This detection identifies bacnet service communication stop requests being performed.

Recommendation

Verify that this activity was authorized.

SCADAFence - Bacnet Device Reinitialize-Service Request Detected

Description

This detection identifies bacnet service reinitialize requests being performed.

Recommendation

Verify that this activity was authorized.

SCADAFence - Brute Force Auditing Tool Detected THC-Hydra

Description

This detection identifies the presence of the brute forcing tool known as Hydra from The Hackers Choice (THC).

Recommendation

Verify that this activity was authorized.

SCADAFence - Brute Force Tool Detected Medusa

Description

This detection identifies the presence of the Medusa brute forcing tool.

Recommendation

Verify that this activity was authorized.

SCADAFence - Call-home Functionality Enabled On IoT Device

Description

This detection identifies a host is calling home.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Camera Configuration Change Detected

Description

This detection identifies commands to reconfigure a camera being executed.

Recommendation

Verify that this activity was authorized.

SCADAFence - CIP Configuration Change Detected

Description

This detection identifies when a CIP configuration change request has been sent to a device.

Recommendation

Verify that this activity was authorized.

SCADAFence - Default Credentials

Description

This detection identifies the use of default credentials being used in an attempt to authenticate to a system.

Recommendation

Verify that this activity was authorized and not the result of a malicious attacker attempting to gain access to the system.

SCADAFence - Default FTP Password

Description

This detection identifies the use of anonymous access to the file transfer protocol ‘ftp’ service.

Recommendation

Verify that the server is authorized to allow anonymous access to this service.

SCADAFence - Default SNMP Password For Read Access

Description

This detection identifies the use of a default password when authenticating to a service.

Recommendation

Verify that use of default passwords is authorized. If not, change the password to be longer and more complex to protect against password guessing attacks.

SCADAFence - Default SNMP Password For Write Access

Description

This detection identifies the use of a default password when authenticating to a service.

Recommendation

Verify that use of weak passwords is authorized. If not, change the password to be longer and more complex to protect against password guessing attacks.

SCADAFence - Device Configuration Change Detected

Description

This detection identifies device configurations being changed.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Device Firmware Update Detected

Description

This detection identifies firmware being upgraded on a device.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Device Is No Longer Supported

Description

This detection identifies systems that are no longer supported and cannot effectively be managed.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Device Not Initialized

Description

This detection identifies that a device is not initialized.

Recommendation

Verify that this behavior is expected.

SCADAFence - Device With No Authentication Was Identified

Description

This detection identifies devices with services configured that require no authentication in order to access.

Recommendation

Verify that this configuration is authorized.

SCADAFence - DHCP Discovery

Description

This detection identifies when a system requests a DHCP discovery.

Recommendation

Verify that the host and its configuration are authorized to be on the network and using DHCP.

SCADAFence - DHCP Request For IP

Description

This detection identifies requests for an address using DHCP.

Recommendation

Verify that the host and its configuration are authorized to be on the network and using DHCP.

SCADAFence - Directory Traversal Attempt Detected

Description

This detection identifies attempts to perform web directory traversal.

Recommendation

Verify that this activity was authorized.

SCADAFence - Domain Reputation Alert

Description

This detection identifies attempts to resolve malicious domains.

Recommendation

Review the the alert in question and determine why the domain was attempted to be resolved.

SCADAFence - Duplicate MAC Detected

Description

This detection identifies duplicate media access control ‘mac’ addresses.

Recommendation

Verify that this is a misconfiguration and not the result of ARP poisoning by a malicious actor.

SCADAFence - Email Distribution Service Is Not Functioning Properly

Description

This detection identifies that the email distribution service is not functioning.

Recommendation

Verify that the email system is operating.

SCADAFence - Excessive ARP Resolution

Description

This detection identifies when a host attempts to resolve to several unknown IP addresses.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Excessive DNS Queries

Description

This detection identifies when a host attempts to resolve to several domain names.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Excessive DNS Servers Queried

Description

This detection identifies when a host attempts to connect to resolve against several DNS servers.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Excessive New IP Connections

Description

This detection identifies when a host opened up an excessive number of connections to other hosts.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Foreign Host By IPs Resolution

Description

This detection identifies when a new host is present on the network and begins attempting to resolving several unknown hosts.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Foreign Host By Unknown IPs

Description

This detection identifies when a new host is present on the network and begins connecting to several hosts.

Recommendation

Verify that this activity is authorized.

SCADAFence - Foreign Host By Unknown MAC’s

Description

This detection identifies when a new host is present on the network and begins connecting to several hosts.

Recommendation

Verify that this activity is authorized.

SCADAFence - Group To Group Communication

Description

This detection identifies network connections between different group names.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Heartbleed Exploitation Attempt Detected

Description

This detection identifies an attempt to exploit the vulnerability in OpenSSL known as Heartbleed (cve-2014-0160).

Recommendation

Verify that this activity was authorized.

SCADAFence - Heartbleed Successful Exploitation Detected

Description

This detection identifies the successful exploitation of the vulnerability in OpenSSL known as Heartbleed (cve-2014-0160).

Recommendation

Verify that this activity was authorized.

SCADAFence - Hostname Changed

Description

This detection identifies the change in hostname.

Recommendation

Verify that this change in hostname is authorized.

SCADAFence - Hostname Conflict Detected

Description

This detection identifies duplicate hostnames.

Recommendation

Verify that this is a misconfiguration and not a result of a malicious actor.

SCADAFence - Industrial Device Firmware Updated Command Issued

Description

This detection identifies that a device firmware update command was issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - Industrial Parameter Value Out Of Range

Description

This detection identifies when a value is out of the parameters range.

Recommendation

Verify that this configuration is correct.

SCADAFence - Industrial Protocol DPI Alert

Description

This detection identifies ICS traffic triggering a DPI rule.

Recommendation

Verify that this activity was authorized.

SCADAFence - Invalid DHCP IP Offer Potential Denial Of Service Attempt

Description

This detection identifies invalid DHCP offers being given on the network.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Invalid RARP IP Offer Possible Denial Of Service Attempt

Description

This detection identifies invalid RARP offers being given on the network.

Recommendation

Verify that this behavior is authorized.

SCADAFence - IP Conflict Detected

Description

This detection identifies the same IP address being associated with two different media access control or ‘mac’ addresses.

Recommendation

Verify that this is a misconfiguration and not the result of malicious actor behavior.

SCADAFence - IP Reputation Alert

Description

This detection identifies attempts to connect to malicious IP addresses.

Recommendation

Review the the alert in question and determine why the IP address was attempted to be connected to.

SCADAFence - KNX Memory Write Command Issued

Description

This detection identifies when a KNX memory write command has been issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - KNX Restart Command Issued

Description

This detection identifies when a KNX restart command has been issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - Link Idle or Down

Description

This detection identifies when the system is experiencing a down or idle network interface.

Recommendation

Verify that the system is able to effectively monitor the network traffic.

SCADAFence - Location Is Not Responding

Description

This detection identifies that a location is not responding.

Recommendation

Verify the location is up and operational.

SCADAFence - MAC Changed

Description

This detection identifies the change of a media access control or ‘mac’ address.

Recommendation

Verify that the network card for this host has changed and that this observed behavior was not the result of ARP poisoning or other malicious attacker behavior.

SCADAFence - Missing Device

Description

This detection identifies when a host has not be observed on the network for a period of time.

Recommendation

Verify that this host is functioning as expected and is able to be monitored by the system.

SCADAFence - Multihomed Host Detected

Description

This detection identifies a host that has multiple network addresses.

Recommendation

Verify that this host is not unintentionally bridging networks that should be segmented.

SCADAFence - Multi-Site Communication Service Is Not Functioning Properly

Description

This detection identifies when the multi-site communication service is not functioning properly.

Recommendation

Verify that the service is functioning properly.

SCADAFence - Net Group Query For Administrative Group

Description

This detection identifies querying for administrative groups using ‘net.exe’.

Recommendation

Verify that this activity was authorized.

SCADAFence - Network Scanner Tool Detected

Description

This detection identifies the presence of a network scanning tool.

Recommendation

Verify that this activity was authorized.

SCADAFence - Network Scanner Was Detected

Description

This detection identifies network scanning activity.

Recommendation

Verify that this behavior is authorized.

SCADAFence - New Asset Connected To CC-Link IE Network

Description

This detection identifies new assets being connected to CC-link IE networks.

Recommendation

Verify that this activity was authorized.

SCADAFence - New Connection To Industrial Device

Description

This detection identifies never before observed connections to industrial devices.

Recommendation

Verify that this behavior is authorized.

SCADAFence - New Host Detected

Description

This detection identifies that a new host is present.

Recommendation

Verify that the newly detected host should be present on the network.

SCADAFence - New ICS Command

Description

This detection identifies that a new ICS command has been executed.

Recommendation

Verify that source address executing the command was authorized.

SCADAFence - New IP Connect

Description

This detection identifies a new source address connecting.

Recommendation

Verify that this source address is authorized to connect to this service.

SCADAFence - New Management Connection To Camera

Description

This detection identifies management connections to cameras.

Recommendation

Verify that this activity was authorized.

SCADAFence - New Port

Description

This detection identifies that a new port was connected to that had not been observed before.

Recommendation

Verify that this connection was authorized and not the result of malicious actor activity.

SCADAFence - No Reply

Description

This detection identifies when a host attempts to connect to another address and receives no reply.

Recommendation

Verify that this behavior is authorized.

SCADAFence - OCP-UA User Read Operation Access Denied

Description

This detection identifies when an OCP-UA user does not have the required access to perform the requested read operation.

Recommendation

Verify that this activity was authorized.

SCADAFence - OPC-UA User Write Operation Access Denied

Description

This detection identifies when an OCP-UA user does not have the required access to perform the requested write operation.

Recommendation

Verify that this activity was authorized.

SCADAFence - OT To Internet Unauthorized Outbound Connection

Description

This detection identifies unauthorized connections from operation technology systems to public Internet.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Packet Drop

Description

This detection identifies when the system is experiencing an excessive amount of dropped packets.

Recommendation

Verify that the system is able to effectively monitor the amount of network traffic.

SCADAFence - Packet Flood Denial Of Service

Description

This detection identifies excessive amount of packets being sent from one host to another.

Recommendation

Verify that the network traffic being generated is authorized.

SCADAFence - Packet Processing Service Is Not Functioning Properly

Description

This detection identifies that the packet processing service may not be analyzing network traffic.

Recommendation

Verify that the network is actively being monitored by the system.

SCADAFence - Password Brute Force Attack

Description

This detection identifies potential brute force attacks.

Recommendation

Verify that this activity was authorized and not the result of a malicious attacker.

SCADAFence - Persirai Botnet Infection Detected

Description

This detection identifies a host that is infected with Persirai botnet.

Recommendation

Verify if this host is infected and rebuild from known good source as necessary.

SCADAFence - Plaintext Authentication

Description

This detection identifies that an unencrypted authentication has occurred.

Recommendation

Verify that the associated service is authorized to provide unencrypted methods of authentication.

SCADAFence - PLC Firmware Update Command Issued

Description

This detection identifies PLC firmware update commands being issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Memory Reset Command Issued

Description

This detection identifies PLC memory reset commands being issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Remote Programming Mode Command Issued

Description

This detection identifies PLC remote programming mode commands being issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Remote Run Mode Command Issued

Description

This detection identifies PLC remote run mod commands being issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Remote Test Mode Command Issued

Description

This detection identifies PLC remote test mode commands being issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Restart Command Issued

Description

This detection identifies PLC restart commands being issued.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Start Command Issued

Description

This detection identifies the execution of a PLC start command.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Start Detected

Description

This detection identifies when a PLC start has been sent.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Stop Command Issued

Description

This detection identifies the execution of a PLC stop command.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Stop Detected

Description

This detection identifies when a PLC stop has been sent.

Recommendation

Verify that this activity was authorized.

SCADAFence - PLC Time Change Request Detected

Description

This detection identifies a time change command being executed.

Recommendation

Verify that this activity was authorized.

SCADAFence - Possible BlackEnergy Malware Infection

Description

This detection identifies BlackEnergy trojan communications.

Recommendation

Verify that the system is not infected with the BlackEnergy trojan.

SCADAFence - Possible BlueKeep RDP Exploitation Attempt Detected

Description

This detection identifies the attempted use of an RDP exploit known as Eternal Blue.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Possible Havex Malware Infection

Description

This detection identifies Havex trojan communications.

Recommendation

Verify that the system is not infected with the Havex trojan.

SCADAFence - Possible Industroyer Malware Infection

Description

This detection identifies Industroyer trojan communications.

Recommendation

Verify that the system is not infected with the Industroyer trojan.

SCADAFence - Possible IRC Bot Trojan Infection

Description

This detection identifies IRC bot trojan communications.

Recommendation

Verify that the system is not infected with an IRC bot trojan.

SCADAFence - Possible Linux/AED.DDoS Malware Infection

Description

This detection identifies AED trojan communications.

Recommendation

Verify that the system is not infected with the AED trojan.

SCADAFence - Possible PCRat/Gh0st Malware Trojan Infection

Description

This detection identifies PCRat/Gh0st trojan communications.

Recommendation

Verify that the system is not infected with PCRat/Gh0st trojan.

SCADAFence - Possible Snake Malware Infection

Description

This detection identifies Snake trojan communications.

Recommendation

Verify that the system is not infected with the Snake trojan.

SCADAFence - Possible Trisis Malware Infection

Description

This detection identifies Trisis trojan communications.

Recommendation

Verify that the system is not infected with the Trisis trojan.

SCADAFence - Possible WannaCry Malware Infection

Description

This detection identifies the download of WannaCry malware.

Recommendation

Verify that the system is not infected with WannaCry malware.

SCADAFence - Possible WannaCry Malware Traffic

Description

This detection identifies WannaCry malware communications.

Recommendation

Verify that the system is not infected with WannaCry malware.

SCADAFence - Possible ZeuS Malware Infection

Description

This detection identifies ZeuS trojan communications.

Recommendation

Verify that the system is not infected with ZeuS trojan.

SCADAFence - Programming Read Command Detected

Description

This detection identifies a programming read command being executed.

Recommendation

Verify that this activity was authorized.

SCADAFence - Programming Write Command Detected

Description

This detection identifies a write sequence to a PLC.

Recommendation

Verify that this activity was authorized.

SCADAFence - PsExec Tool Detected

Description

This detection identifies the use of PsExec.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Remote Command Execution Attempt Detected

Description

This detection identifies attempted remote command execution delivered over HTTP.

Recommendation

Verify that this activity was authorized.

SCADAFence - Remote Windows Command Shell Detected

Description

This detection identifies when a system has remotely opened a Windows command shell.

Recommendation

Verify that this activity was authorized.

SCADAFence - Ripple20 CVE-2020-11896 Exploitation Attempt Detected

Description

This detection identifies the attempted use of Ripple20 exploits against the Treck IP stack.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Ripple20 CVE-2020-11898 Exploitation Attempt Detected

Description

This detection identifies the attempted use of Ripple20 exploits against the Treck IP stack.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Same MAC Was Detected In More Than One VLAN

Description

This detection identifies that the same MAC address was detection on more than one VLAN with an hour.

Recommendation

Verify that this activity was authorized.

SCADAFence - SCADA Systems Signature Detected

Description

This detection identifies if a SCADA systems signature has been detected.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Scheduled Task Creation Attempt

Description

This detection identifies the attempted creation of scheduled tasks.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Scheduled Task Remote Process Execution

Description

This detection identifies the attempt to create a remote scheduled task.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Signature Engine Service Is Not Functioning Properly

Description

This detection identifies when the signature engine service is not functioning.

Recommendation

Verify the service is functioning.

SCADAFence - SMB Exploitation Attempt MS08-67

Description

This detection identifies the attempted use of an SMB exploit referenced in Microsoft’s security bulletin MS08-67.

Recommendation

Verify that this behavior is authorized.

SCADAFence - SMB Exploitation Attempt MS17-10 Eternal Blue

Description

This detection identifies the attempted use of an SMB exploit referenced in Microsoft’s security bulletin MS17-10 and is also known as Eternal Blue.

Recommendation

Verify that this behavior is authorized.

SCADAFence - SMB Exploitation Attempt MS17-10 EternalRomance

Description

This detection identifies the attempted use of an SMB exploit referenced in Microsoft’s security bulletin MS17-10 and is also known as Eternal Romance.

Recommendation

Verify that this behavior is authorized.

SCADAFence - SMBv3 CVE-2020-0796 Exploitation Attempt Detected

Description

This detection identifies the attempted use of an SMB exploit referenced in CVE-2020-0796.

Recommendation

Verify that this behavior is authorized.

SCADAFence - SSRR/LSRR Exploitation Attempt

Description

This detection identifies that an exploit attempt was sent over IP using strict source or loose source record routes.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Suspicious Write Command To PLC

Description

This detection identifies that a suspicious write command was sent to the PLC.

Recommendation

Verify that this command was authorized and not a result of malicious actor activity.

SCADAFence - TCP Options MSS Denial Of Service Attempt

Description

This detection identifies that an exploit attempt was sent over TCP using the maximum segment size.

Recommendation

Verify that this behavior is authorized.

SCADAFence - TCP Urgent Exploitation Attempt

Description

This detection identifies that an exploit attempt was sent over TCP.

Recommendation

Verify that this behavior is authorized.

SCADAFence - TeamViewer Inbound Connection Established

Description

This detection identifies inbound TeamViewer connections being established.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Trickbot Trojan Communication Detected

Description

This detection identifies Trickbot trojan communications.

Recommendation

Verify that the system is not infected with the Trickbot trojan.

SCADAFence - Unauthorized Inbound Connection

Description

This detection identifies unauthorized connections to internal systems.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Unauthorized Inbound Connection To OT Network

Description

This detection identifies unauthorized connections to operational technology systems.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Unauthorized Outbound Connection

Description

This detection identifies unauthorized connections to external systems.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Unauthorized Outbound Connection

Description

This detection identifies when a host attempts to connect to external IP addresses.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Uncommon Configuration Was Detected On An IoT Device

Description

This detection identifies uncommon configurations of devices.

Recommendation

Verify that this configuration is authorized.

SCADAFence - Unknown IPs

Description

This detection identifies when a host attempts to connect to several unknown IP addresses.

Recommendation

Verify that this behavior is authorized.

SCADAFence - Use Of Deprecated Protocol SMBv1

Description

This detection identifies the use of the deprecated protocol SMBv1.

Recommendation

Verify that this behavior is authorized.

SCADAFence - User Defined Alert

Description

This detection identifies user defined alerts.

Recommendation

Review the alert in question.

SCADAFence - User Weak Authentication

Description

This detection identifies the use of a weak password when authenticating to a service.

Recommendation

Verify that use of weak passwords is authorized. If not, change the password to be longer and more complex to protect against password guessing attacks.

SCADAFence - Vulnerability Assessment Tool Detected Nessus

Description

This detection identifies the presence of the web vulnerability assessment tool known as Nessus.

Recommendation

Verify that this activity was authorized.

SCADAFence - Vulnerable Device Configuration Detected

Description

This detection identifies a vulnerable configuration of a device.

Recommendation

Verify that this configuration is authorized.

SCADAFence - Web Vulnerability Assessment Tool Detected Burpsuite

Description

This detection identifies the presence of the web vulnerability assessment tool known as Burpsuite.

Recommendation

Verify that this activity was authorized.

SCADAFence - Web Vulnerability Assessment Tool Detected Nikto

Description

This detection identifies the presence of the Nikto web vulnerability assessment tool.

Recommendation

Verify that this activity was authorized.

SCADAFence - WMI Possible Remote Process Execution

Description

This detection identifies a possible attempt to perform remote process execution through Windows Management Instrumentation.

Recommendation

Verify that this activity was authorized.

SCADAFence - WMI Remote Process Execution

Description

This detection identifies an attempt to perform remote process execution through Windows Management Instrumentation. Verify that this activity was authorized.

Recommendation

Verify that this activity was authorized.

SCADAFence - ZeroAccess Trojan Communication Detected

Description

This detection identifies ZeroAccess trojan communications.

Recommendation

Verify that the system is not infected with the ZeroAccess trojan.