正文

新型工控系统恶意软件TRITON：修改SIS增加物理破坏机率(4)

2017-12-23 18:01来源：99科技整理编辑：时寒峰

扫一扫

分享文章到微信

扫一扫

关注99科技网微信公众号

复制网址

　　对于依赖SIS系统提供数据的任何应用程序，应使用单向网关而不是双向网络进行连接；

　　在任何通过TCP / IP访问SIS系统的服务器或工作站终端上，实行严格的访问控制和应用程序白名单机制；

　　监控ICS系统异常的网络通信流量。

　　下图为Triconex系统主机架钥匙开关：

　　IoC威胁指标

　　Indicators

　　Detection

　　rule TRITON_ICS_FRAMEWORK

　　{

　　meta:

　　author = "nicholas.carr @itsreallynick"

　　md5 = "0face841f7b2953e7c29c064d6886523"

　　description = "TRITON framework recovered during Mandiant ICS incident response"

　　strings:

　　$python_compiled = ".pyc" nocase ascii wide

　　$python_module_01 = "__module__" nocase ascii wide

　　$python_module_02 = "<module>" nocase ascii wide

　　$python_script_01 = "import Ts" nocase ascii wide

　　$python_script_02 = "def ts_" nocase ascii wide

　　$py_cnames_01 = "TS_cnames.py" nocase ascii wide

　　$py_cnames_02 = "TRICON" nocase ascii wide

　　$py_cnames_03 = "TriStation " nocase ascii wide

　　$py_cnames_04 = " chassis " nocase ascii wide

　　$py_tslibs_01 = "GetCpStatus" nocase ascii wide

　　$py_tslibs_02 = "ts_" ascii wide

　　$py_tslibs_03 = " sequence" nocase ascii wide

　　$py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide

　　$py_tslibs_05 = /module\s?version/ nocase ascii wide

　　$py_tslibs_06 = "bad " nocase ascii wide

　　$py_tslibs_07 = "prog_cnt" nocase ascii wide

　　$py_tsbase_01 = "TsBase.py" nocase ascii wide

　　$py_tsbase_02 = ".TsBase(" nocase ascii wide

　　$py_tshi_01 = "TsHi.py" nocase ascii wide

　　$py_tshi_02 = "keystate" nocase ascii wide

　　$py_tshi_03 = "GetProjectInfo" nocase ascii wide

　　$py_tshi_04 = "GetProgramTable" nocase ascii wide

　　$py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide

　　$py_tshi_06 = ".TsHi(" ascii nocase wide

　　$py_tslow_01 = "TsLow.py" nocase ascii wide

　　$py_tslow_02 = "print_last_error" ascii nocase wide

　　$py_tslow_03 = ".TsLow(" ascii nocase wide

　　$py_tslow_04 = "tcm_" ascii wide

　　$py_tslow_05 = " TCM found" nocase ascii wide

　　$py_crc_01 = "crc.pyc" nocase ascii wide

　　$py_crc_02 = "CRC16_MODBUS" ascii wide

　　$py_crc_03 = "Kotov Alaxander" nocase ascii wide

　　$py_crc_04 = "CRC_CCITT_XMODEM" ascii wide

　　$py_crc_05 = "crc16ret" ascii wide

投稿邮箱：jiujiukejiwang@163.com 详情访问99科技网：http://www.99it.com.cn

共5页: