Author: Daniel Lubel, Senior Purple Team Researcher
We want to share with you one of the IR (Incident Response) exercises in our training. This training combines practical OT and IT attacks, we sure you can take from this post some concepts and ideas.
The goals of the exercise:
- To gain experience with detection of malicious behavior in OT environments
- To improve some basic IR skills
The exercise:
The Home Front Command is reporting a new cyber attack. Their systems are alerting about rockets non-stop, although the enemy is not really firing rockets. This causes serious panic among the citizens. The Home Front Command reviewed their TIA project but they have not seen any suspicious changes.
The red flasher which is connected to the s7-1200 PLC symbolizes the alert - as you can see, the flasher was turned on. The steel sensor symbolizes the rocket radar. In a normal situation, the flasher is on when the steel sensor is very close to the steel wall.
Your mission is:
- To figure out who hacked their network
- List attacker's activities in the network, step by step
- Find what the attacker changed in order to cause these alerts
The environment to investigate:
VMS:
- DC of the network
- Engineer station
- Computers in the network
PLC:
- s7-1200 (which can be accessed only from the engineer station)
Attacker Chain Of Activities (The Solution):
syntax: <event> - <how it can be detected>
1. IT guy is accessing phishing web page and downloading sfx executable - Chrome history.
2. The attacker is stealing the krbtgt using Powershell - extract the Powershell code from the sfx and reverse engineer it.
3. The attacker is generating a golden ticket with administrator privileges - DC event log 4769 with a fake account name.
4. The attacker is using his golden ticket to connect with psexec to the engineer station - psexec in eventviwer log id 7045, the fake user can be seen in user folders.
5. The attacker is coping the project to his attack station using "net use" command - eventviewer log id 5145.
6. The attacker is running netsh on the victim's computer to forward communication to the OT environment from his computer - netsh prefech and "netsh interface portproxy show all" which shows the forwarding rules.
7. The attacker is uploading a new project to the PLC via web - logs in the PLC web interface which indicate that the attacker has uploaded a new project.
8. Downloading the current project from the PLC and comparing it to the legit project that was given, reveals that the number of the sensor condition has changed. The flasher will be on even if it doesn't touch the steel.
The attacker changed 7.3 value to 4 which caused the "Tag_3" condition to be irrelevant.