From fc7169cabe991aa7c757624299221725775d2706 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 15 May 2025 00:31:56 +0530 Subject: [PATCH 01/11] ICS Network Templates --- ..._Bradley_CompactLogix_enip-cip_detect.yaml | 31 ++++++++++++ ...llen_Bradley_GuardPLC_enip-cip_detect.yaml | 39 +++++++++++++++ ...llen_Bradley_Micro800_enip-cip_detect.yaml | 35 ++++++++++++++ ...en_Bradley_MicroLogix_enip-cip_detect.yaml | 47 +++++++++++++++++++ .../Allen_Bradley_PLC-5_enip-cip_detect.yaml | 39 +++++++++++++++ ...Allen_Bradley_SLC-500_enip-cip_detect.yaml | 35 ++++++++++++++ network/detection/Red_Lion_enip_detect.yaml | 33 +++++++++++++ .../Schneider-Modicon/modicon_340_detect.yaml | 34 ++++++++++++++ .../Schneider-Modicon/modicon_580_detect.yaml | 34 ++++++++++++++ network/enumeration/modicon-info.yaml | 43 +++++++++++++++++ ...Ethernet_IP_CIP_conpot_default_config.yaml | 27 +++++++++++ .../snap7_honeypot_default_config.yaml | 35 ++++++++++++++ 12 files changed, 432 insertions(+) create mode 100644 network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml create mode 100644 network/detection/Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml create mode 100644 network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml create mode 100644 network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml create mode 100644 network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml create mode 100644 network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml create mode 100644 network/detection/Red_Lion_enip_detect.yaml create mode 100644 network/detection/Schneider-Modicon/modicon_340_detect.yaml create mode 100644 network/detection/Schneider-Modicon/modicon_580_detect.yaml create mode 100644 network/enumeration/modicon-info.yaml create mode 100644 network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml create mode 100644 network/honeypot/snap7_honeypot_default_config.yaml diff --git a/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml new file mode 100644 index 00000000000..25cafb1a6d2 --- /dev/null +++ b/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml @@ -0,0 +1,31 @@ +id: Allen_Bradley_CompactLogix_enip-cip_detect + +info: + name: Allen_Bradley_CompactLogix_enip-cip_detected + author: biero-el-corridor + severity: info + description: | + detect Allen Bradley CompactLogix series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). + metadata: + max-request: 2 + vendor: Allen_Bradley + product: CompactLogix_series + shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" + tags: ICS,Allen_Bradley,CompactLogix_series + +tcp: + - host: + - "{{Host}}:44818" + inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + read-size: 1024 + matchers-condition: or + matchers: + - type: binary + part: info + binary: + - "313736392d" # 1769- (1769-L23: Built-in I/O || 1769-L24ER: With expansion capabilities || 1769-L30ER: Higher performance || 1769-L35ER: High-end version) \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml new file mode 100644 index 00000000000..d052aa87422 --- /dev/null +++ b/network/detection/Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml @@ -0,0 +1,39 @@ +id: Allen_Bradley_GuardPLC_enip-cip_detect + +info: + name: Allen_Bradley_GuardPLC_enip-cip_detected + author: biero-el-corridor + severity: info + description: | + detect Allen Bradley GuardPLC series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). + metadata: + max-request: 2 + vendor: Allen_Bradley + product: GuardPLC_series + shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" + tags: ICS,Allen_Bradley,GuardPLC_series + +tcp: + - host: + - "{{Host}}:44818" + inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + read-size: 1024 + matchers-condition: or + matchers: + - type: binary + part: info + binary: + - "313735332d" # 1753 + - type: binary + part: info + binary: + - "313735342d" # 1754 + - type: binary + part: info + binary: + - "313735352d" # 1755 \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml new file mode 100644 index 00000000000..ad74f3a1def --- /dev/null +++ b/network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml @@ -0,0 +1,35 @@ +id: Allen_Bradley_Micro800_enip-cip_detect + +info: + name: Allen_Bradley_Micro800_enip-cip_detected + author: biero-el-corridor + severity: info + description: | + detect Allen Bradley Micro800 series cia enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). + metadata: + max-request: 2 + vendor: Allen_Bradley + product: Micro800_series + shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" + tags: ICS,Allen_Bradley,Micro800_series + +tcp: + - host: + - "{{Host}}:44818" + inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + read-size: 1024 + matchers: + - type: binary + part: info + binary: + - "323038302d" # 2080- https://literature.rockwellautomation.com/idc/groups/literature/documents/br/2080-br001_-en-p.pdf + # Modèles : + #2080-LC10-12AWA: 8 entrées numériques 120-240V AC, 4 sorties relais numériques. + #2080-LC10-12QWB: 8 entrées numériques 24V DC/VAC, 4 sorties relais numériques + 4 entrées analogiques 0-10V. + #2080-LC10-12DWD: 8 entrées numériques 12V DC, 4 sorties relais numériques + 4 entrées analogiques 0-10V. + #2080-LC10-12QBB: 8 entrées numériques 24V DC/VAC, 4 sorties source 24V DC + 4 entrées analogiques 0-10V. \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml new file mode 100644 index 00000000000..4d69eadf183 --- /dev/null +++ b/network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml @@ -0,0 +1,47 @@ +id: Allen_Bradley_MicroLogix_enip-cip_detect + +info: + name: Allen_Bradley_MicroLogix_enip-cip_detected + author: biero-el-corridor + severity: info + description: | + detect Allen Bradley MicroLogix series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). + metadata: + max-request: 2 + vendor: Allen_Bradley + product: MicroLogix_series + shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" + tags: ICS,Allen_Bradley,MicroLogix_series + +tcp: + - host: + - "{{Host}}:44818" + inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + read-size: 1024 + matchers-condition: or + matchers: + - type: binary + part: info + binary: + - "313736312d" # 1761- (1761: Fixed I/O, entry-level controllers) + - type: binary + part: info + binary: + - "313736322d" # 1762- (1762: Similar to 1761 but with expansion capabilities) + - type: binary + part: info + binary: + - "313736332d" # 1763- (1763: MicroLogix 1100 series) + - type: binary + part: info + binary: + - "313736342d" # 1764- (1764: MicroLogix 1400 series) + - type: binary + part: info + binary: + - "313736362d" # 1766- (1766: MicroLogix 1500 series) \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml new file mode 100644 index 00000000000..07d72630306 --- /dev/null +++ b/network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml @@ -0,0 +1,39 @@ +id: Allen_Bradley_PLC-5_enip-cip_detect + +info: + name: Allen_Bradley_PLC-5_enip-cip_detected + author: biero-el-corridor + severity: info + description: | + detect Allen Bradley PLC-5 series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). + metadata: + max-request: 2 + vendor: Allen_Bradley + product: PLC-5_series + shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" + tags: ICS,Allen_Bradley,PLC-5_series + +tcp: + - host: + - "{{Host}}:44818" + inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + read-size: 1024 + matchers-condition: or + matchers: + - type: binary + part: info + binary: + - "313737312d" # 1771- + - type: binary + part: info + binary: + - "313737322d" # 1772- + - type: binary + part: info + binary: + - "313738352d" # 1785- https://www.ideadigitalcontent.com/files/11994/ID-SPE-1785-sg001_-en-p.pdf \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml new file mode 100644 index 00000000000..bcd517912ac --- /dev/null +++ b/network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml @@ -0,0 +1,35 @@ +id: Allen_Bradley_SLC-500_enip-cip_detect + +info: + name: Allen_Bradley_SLC-500_enip-cip_detected + author: biero-el-corridor + severity: info + description: | + detect Allen Bradley SLC-500 series enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). + metadata: + max-request: 2 + vendor: Allen_Bradley + product: SLC-500_series + shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" + tags: ICS,Allen_Bradley,SLC-500_series + +tcp: + - host: + - "{{Host}}:44818" + inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + read-size: 1024 + matchers-condition: or + matchers: + - type: binary + part: info + binary: + - "313734362d" # 1746- + - type: binary + part: info + binary: + - "313737322d" # 1747- diff --git a/network/detection/Red_Lion_enip_detect.yaml b/network/detection/Red_Lion_enip_detect.yaml new file mode 100644 index 00000000000..6c0e15bf994 --- /dev/null +++ b/network/detection/Red_Lion_enip_detect.yaml @@ -0,0 +1,33 @@ +id: Red_Lion_enip_detect + +info: + name: Red_Lion_enip_detect + author: biero-el-corridor + severity: info + description: | + detect Red Lion (shodan query: port:789 "Red Lion Controls"). + metadata: + max-request: 2 + vendor: Schneider + product: Modicon340 + tags: ICS,RedLion + +tcp: + - host: + - "{{Host}}:789" # ENIP Port + inputs: + - data: "0004012b1b00" + type: hex + read: 200 + name: info + - data: "0004012a1a00" + type: hex + read: 200 + name: note + + read-size: 1024 + matchers: + - type: binary + part: info + binary: + - "526564204c696f6e20436f6e74726f6c73" # Red Lion Controls diff --git a/network/detection/Schneider-Modicon/modicon_340_detect.yaml b/network/detection/Schneider-Modicon/modicon_340_detect.yaml new file mode 100644 index 00000000000..b8d74658f69 --- /dev/null +++ b/network/detection/Schneider-Modicon/modicon_340_detect.yaml @@ -0,0 +1,34 @@ +id: modicon_340_detect + +info: + name: mSchneider_modicon_580_detected + author: biero-el-corridor + severity: info + description: | + detect Schenider Electric Modicon 340 series via UMAS protocol. + metadata: + max-request: 2 + vendor: Schneider + product: Modicon340 + shodan-query: port:502 "P34" + tags: ICS,Schenider,modicon + +tcp: + - host: + - "{{Host}}:502" + inputs: + - data: "000000000005002b0e0200" + type: hex + read: 200 + name: info + - data: "000100000004005a0002" + type: hex + read: 200 + name: note + + read-size: 1024 + matchers: + - type: binary + part: note + binary: + - "424d5820503334" # BMX P34 diff --git a/network/detection/Schneider-Modicon/modicon_580_detect.yaml b/network/detection/Schneider-Modicon/modicon_580_detect.yaml new file mode 100644 index 00000000000..568402c4fb2 --- /dev/null +++ b/network/detection/Schneider-Modicon/modicon_580_detect.yaml @@ -0,0 +1,34 @@ +id: modicon_580_detect + +info: + name: Schneider_modicon_580_detected + author: biero-el-corridor + severity: info + description: | + detect Schenider Electric Modicon 580 series via UMAS protocol. + metadata: + max-request: 2 + vendor: Schneider + product: Modicon580 + shodan-query: port:502 "P58" + tags: ICS,Schenider,modicon + +tcp: + - host: + - "{{Host}}:502" + inputs: + - data: "000000000005002b0e0200" + type: hex + read: 200 + name: info + - data: "000100000004005a0002" + type: hex + read: 200 + name: note + + read-size: 1024 + matchers: + - type: binary + part: note + binary: + - "424d4520503538" # BME P58 diff --git a/network/enumeration/modicon-info.yaml b/network/enumeration/modicon-info.yaml new file mode 100644 index 00000000000..914e76eca7b --- /dev/null +++ b/network/enumeration/modicon-info.yaml @@ -0,0 +1,43 @@ +id: modicon_info + +info: + name: modicon_info + author: biero-el-corridor + severity: info + description: | + Grab info on the Modicon PLC. + metadata: + max-request: 2 + vendor: Schneider + product: Modicon + shodan-query: "Device Identification: Schneider Electric" + tags: ICS,modicon,schneider + +tcp: + - host: + - "{{Host}}:502" + inputs: + - data: "000000000005002b0e0200" + type: hex + read: 200 + name: info + - data: "000f0000000d005a002000140064000000f600" + type: hex + read: 200 + name: note + inputs: + - data: "000400000005005a000300" + type: hex + read: 200 + name: info + + read-size: 1024 + matchers: + - type: binary + part: info + binary: + - "5363686e656964657220456c65" + - type: binary + part: note + binary: + - "5363686e656964657220456c65" diff --git a/network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml b/network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml new file mode 100644 index 00000000000..e08cee2b561 --- /dev/null +++ b/network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml @@ -0,0 +1,27 @@ +id: Detect_defaul_config_cpppo_EthernetIP_CIP_honeypot + +info: + name: Detect default configuration for CPPPO honeypot + author: biero-el-corridor + severity: info + description: | + Default configuration of the CPPPO python Ethernet/IP CIP parser. + metadata: + max-request: 2 + vendor: alan bradley + product: Ethernet/IP CIP + tags: ICS,CIP,honeypot + +tcp: + - host: + - "{{Hostname}}" + - "{{Host}}:44818" + inputs: + - data: "63000000000000000000000000000000c1debed100000000" + type: hex + + read-size: 1024 + matchers: + - type: binary + binary: + - "63003c00000000000000000000000000c1debed10000000001000c00360001000002af1200000000000000000000000001000e003600140b60311a066c0014313735362d4c36312f42204c4f47495835353631ff" diff --git a/network/honeypot/snap7_honeypot_default_config.yaml b/network/honeypot/snap7_honeypot_default_config.yaml new file mode 100644 index 00000000000..4936c8f0df4 --- /dev/null +++ b/network/honeypot/snap7_honeypot_default_config.yaml @@ -0,0 +1,35 @@ +id: detect-defaul-config-honeypot-snap7 + +info: + name: detect default configurations for snap7 honeypot + author: biero-el-corridor + severity: info + description: | + Default configurations of the snap7 python parser. + metadata: + max-request: 2 + vendor: Snap7 + product: s7comm + tags: ICS,s7comm,honeypot + +tcp: + - host: + - "{{Hostname}}" + - "{{Host}}:102" + inputs: + - data: "0300001611e00000001400c1020100c2020102c0010a" + type: hex + - data: "0300001902f08032010000000000080000f0000001000101e0" + type: hex + - data: "0300002102f080320700000000000800080001120411440100ff09000400110001" + type: hex + - data: "0300002102f080320700000000000800080001120411440100ff09000400110001" + type: hex + - data: "0300002102f080320700000000000800080001120411440100ff090004001c0001" + + + read-size: 512 + matchers: + - type: binary + binary: + - "0300001611d00014000100c1020100c2020102c0010a0300001b02f080320300000000000800000000f0000001000101e00300009902f080320700000000000c007c000112081284010000000000ff09007800110000001c0004000136455337203331352d32454831342d304142302000c000040001000636455337203331352d32454831342d304142302000c0000400010007202020202020202020202020202020202020202000c0560302060081426f6f74204c6f61646572202020202020202020000041200909" \ No newline at end of file From d92b51dce6627457cb1cae294da87290f9b67ff7 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 16 Dec 2025 02:13:25 +0530 Subject: [PATCH 02/11] enhance --- ..._Bradley_CompactLogix_enip-cip_detect.yaml | 31 ------------ ...llen_Bradley_Micro800_enip-cip_detect.yaml | 35 -------------- ...en_Bradley_MicroLogix_enip-cip_detect.yaml | 47 ------------------- .../Allen_Bradley_PLC-5_enip-cip_detect.yaml | 39 --------------- ...Allen_Bradley_SLC-500_enip-cip_detect.yaml | 35 -------------- .../Schneider-Modicon/modicon_340_detect.yaml | 34 -------------- .../Schneider-Modicon/modicon_580_detect.yaml | 34 -------------- .../allen-bradley-compactlogix-detect.yaml | 30 ++++++++++++ .../allen-bradley-guardplc-detect.yaml} | 18 ++++--- .../allen-bradley-micro800-detect.yaml | 29 ++++++++++++ .../allen-bradley-micrologix-detect.yaml | 34 ++++++++++++++ .../allen-bradley-plc5-detect.yaml | 35 ++++++++++++++ .../allen-bradley-slc-500-detect.yaml | 34 ++++++++++++++ .../detection/ics/red-lion-enip-detect.yaml | 35 ++++++++++++++ .../schneider-modicon-340-detect.yaml | 40 ++++++++++++++++ .../schneider-modicon-580-detect.yaml | 41 ++++++++++++++++ network/enumeration/modicon-info.yaml | 37 ++++++++------- ...Ethernet_IP_CIP_conpot_default_config.yaml | 27 ----------- .../cpppo-ethernetip-cip-honeypot.yaml | 27 +++++++++++ ...aml => snap7-honeypot-default-config.yaml} | 26 +++++----- 20 files changed, 349 insertions(+), 319 deletions(-) delete mode 100644 network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml delete mode 100644 network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml delete mode 100644 network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml delete mode 100644 network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml delete mode 100644 network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml delete mode 100644 network/detection/Schneider-Modicon/modicon_340_detect.yaml delete mode 100644 network/detection/Schneider-Modicon/modicon_580_detect.yaml create mode 100644 network/detection/ics/allen-bradley/allen-bradley-compactlogix-detect.yaml rename network/detection/{Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml => ics/allen-bradley/allen-bradley-guardplc-detect.yaml} (55%) create mode 100644 network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml create mode 100644 network/detection/ics/allen-bradley/allen-bradley-micrologix-detect.yaml create mode 100644 network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml create mode 100644 network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml create mode 100644 network/detection/ics/red-lion-enip-detect.yaml create mode 100644 network/detection/ics/schneider-modicon/schneider-modicon-340-detect.yaml create mode 100644 network/detection/ics/schneider-modicon/schneider-modicon-580-detect.yaml delete mode 100644 network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml create mode 100644 network/honeypot/cpppo-ethernetip-cip-honeypot.yaml rename network/honeypot/{snap7_honeypot_default_config.yaml => snap7-honeypot-default-config.yaml} (62%) diff --git a/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml deleted file mode 100644 index 25cafb1a6d2..00000000000 --- a/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: Allen_Bradley_CompactLogix_enip-cip_detect - -info: - name: Allen_Bradley_CompactLogix_enip-cip_detected - author: biero-el-corridor - severity: info - description: | - detect Allen Bradley CompactLogix series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). - metadata: - max-request: 2 - vendor: Allen_Bradley - product: CompactLogix_series - shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" - tags: ICS,Allen_Bradley,CompactLogix_series - -tcp: - - host: - - "{{Host}}:44818" - inputs: - - data: "630000000000000000000000000000000000000000000000" - type: hex - read: 200 - name: info - - read-size: 1024 - matchers-condition: or - matchers: - - type: binary - part: info - binary: - - "313736392d" # 1769- (1769-L23: Built-in I/O || 1769-L24ER: With expansion capabilities || 1769-L30ER: Higher performance || 1769-L35ER: High-end version) \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml deleted file mode 100644 index ad74f3a1def..00000000000 --- a/network/detection/Allen-Bradley/Allen_Bradley_Micro800_enip-cip_detect.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: Allen_Bradley_Micro800_enip-cip_detect - -info: - name: Allen_Bradley_Micro800_enip-cip_detected - author: biero-el-corridor - severity: info - description: | - detect Allen Bradley Micro800 series cia enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). - metadata: - max-request: 2 - vendor: Allen_Bradley - product: Micro800_series - shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" - tags: ICS,Allen_Bradley,Micro800_series - -tcp: - - host: - - "{{Host}}:44818" - inputs: - - data: "630000000000000000000000000000000000000000000000" - type: hex - read: 200 - name: info - - read-size: 1024 - matchers: - - type: binary - part: info - binary: - - "323038302d" # 2080- https://literature.rockwellautomation.com/idc/groups/literature/documents/br/2080-br001_-en-p.pdf - # Modèles : - #2080-LC10-12AWA: 8 entrées numériques 120-240V AC, 4 sorties relais numériques. - #2080-LC10-12QWB: 8 entrées numériques 24V DC/VAC, 4 sorties relais numériques + 4 entrées analogiques 0-10V. - #2080-LC10-12DWD: 8 entrées numériques 12V DC, 4 sorties relais numériques + 4 entrées analogiques 0-10V. - #2080-LC10-12QBB: 8 entrées numériques 24V DC/VAC, 4 sorties source 24V DC + 4 entrées analogiques 0-10V. \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml deleted file mode 100644 index 4d69eadf183..00000000000 --- a/network/detection/Allen-Bradley/Allen_Bradley_MicroLogix_enip-cip_detect.yaml +++ /dev/null @@ -1,47 +0,0 @@ -id: Allen_Bradley_MicroLogix_enip-cip_detect - -info: - name: Allen_Bradley_MicroLogix_enip-cip_detected - author: biero-el-corridor - severity: info - description: | - detect Allen Bradley MicroLogix series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). - metadata: - max-request: 2 - vendor: Allen_Bradley - product: MicroLogix_series - shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" - tags: ICS,Allen_Bradley,MicroLogix_series - -tcp: - - host: - - "{{Host}}:44818" - inputs: - - data: "630000000000000000000000000000000000000000000000" - type: hex - read: 200 - name: info - - read-size: 1024 - matchers-condition: or - matchers: - - type: binary - part: info - binary: - - "313736312d" # 1761- (1761: Fixed I/O, entry-level controllers) - - type: binary - part: info - binary: - - "313736322d" # 1762- (1762: Similar to 1761 but with expansion capabilities) - - type: binary - part: info - binary: - - "313736332d" # 1763- (1763: MicroLogix 1100 series) - - type: binary - part: info - binary: - - "313736342d" # 1764- (1764: MicroLogix 1400 series) - - type: binary - part: info - binary: - - "313736362d" # 1766- (1766: MicroLogix 1500 series) \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml deleted file mode 100644 index 07d72630306..00000000000 --- a/network/detection/Allen-Bradley/Allen_Bradley_PLC-5_enip-cip_detect.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: Allen_Bradley_PLC-5_enip-cip_detect - -info: - name: Allen_Bradley_PLC-5_enip-cip_detected - author: biero-el-corridor - severity: info - description: | - detect Allen Bradley PLC-5 series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). - metadata: - max-request: 2 - vendor: Allen_Bradley - product: PLC-5_series - shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" - tags: ICS,Allen_Bradley,PLC-5_series - -tcp: - - host: - - "{{Host}}:44818" - inputs: - - data: "630000000000000000000000000000000000000000000000" - type: hex - read: 200 - name: info - - read-size: 1024 - matchers-condition: or - matchers: - - type: binary - part: info - binary: - - "313737312d" # 1771- - - type: binary - part: info - binary: - - "313737322d" # 1772- - - type: binary - part: info - binary: - - "313738352d" # 1785- https://www.ideadigitalcontent.com/files/11994/ID-SPE-1785-sg001_-en-p.pdf \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml deleted file mode 100644 index bcd517912ac..00000000000 --- a/network/detection/Allen-Bradley/Allen_Bradley_SLC-500_enip-cip_detect.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: Allen_Bradley_SLC-500_enip-cip_detect - -info: - name: Allen_Bradley_SLC-500_enip-cip_detected - author: biero-el-corridor - severity: info - description: | - detect Allen Bradley SLC-500 series enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). - metadata: - max-request: 2 - vendor: Allen_Bradley - product: SLC-500_series - shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" - tags: ICS,Allen_Bradley,SLC-500_series - -tcp: - - host: - - "{{Host}}:44818" - inputs: - - data: "630000000000000000000000000000000000000000000000" - type: hex - read: 200 - name: info - - read-size: 1024 - matchers-condition: or - matchers: - - type: binary - part: info - binary: - - "313734362d" # 1746- - - type: binary - part: info - binary: - - "313737322d" # 1747- diff --git a/network/detection/Schneider-Modicon/modicon_340_detect.yaml b/network/detection/Schneider-Modicon/modicon_340_detect.yaml deleted file mode 100644 index b8d74658f69..00000000000 --- a/network/detection/Schneider-Modicon/modicon_340_detect.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: modicon_340_detect - -info: - name: mSchneider_modicon_580_detected - author: biero-el-corridor - severity: info - description: | - detect Schenider Electric Modicon 340 series via UMAS protocol. - metadata: - max-request: 2 - vendor: Schneider - product: Modicon340 - shodan-query: port:502 "P34" - tags: ICS,Schenider,modicon - -tcp: - - host: - - "{{Host}}:502" - inputs: - - data: "000000000005002b0e0200" - type: hex - read: 200 - name: info - - data: "000100000004005a0002" - type: hex - read: 200 - name: note - - read-size: 1024 - matchers: - - type: binary - part: note - binary: - - "424d5820503334" # BMX P34 diff --git a/network/detection/Schneider-Modicon/modicon_580_detect.yaml b/network/detection/Schneider-Modicon/modicon_580_detect.yaml deleted file mode 100644 index 568402c4fb2..00000000000 --- a/network/detection/Schneider-Modicon/modicon_580_detect.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: modicon_580_detect - -info: - name: Schneider_modicon_580_detected - author: biero-el-corridor - severity: info - description: | - detect Schenider Electric Modicon 580 series via UMAS protocol. - metadata: - max-request: 2 - vendor: Schneider - product: Modicon580 - shodan-query: port:502 "P58" - tags: ICS,Schenider,modicon - -tcp: - - host: - - "{{Host}}:502" - inputs: - - data: "000000000005002b0e0200" - type: hex - read: 200 - name: info - - data: "000100000004005a0002" - type: hex - read: 200 - name: note - - read-size: 1024 - matchers: - - type: binary - part: note - binary: - - "424d4520503538" # BME P58 diff --git a/network/detection/ics/allen-bradley/allen-bradley-compactlogix-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-compactlogix-detect.yaml new file mode 100644 index 00000000000..b215dfc1b35 --- /dev/null +++ b/network/detection/ics/allen-bradley/allen-bradley-compactlogix-detect.yaml @@ -0,0 +1,30 @@ +id: allen-bradley-compactlogix-detect + +info: + name: Allen-Bradley CompactLogix Series PLC - Detect + author: biero-el-corridor + severity: info + description: | + Detected Allen-Bradley CompactLogix series via the ENIP-CIP protocol using the -resp flag to view the PLC model. + metadata: + verified: true + shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' + tags: ics,allen-bradley,compactlogix,detect,network,tcp + +tcp: + - inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + host: + - "{{Hostname}}" + port: 44818 + read-size: 1024 + + matchers: + - type: binary + part: info + binary: + - "313736392d" # 1769- (1769-L23: Built-in I/O || 1769-L24ER: With expansion capabilities || 1769-L30ER: Higher performance || 1769-L35ER: High-end version) \ No newline at end of file diff --git a/network/detection/Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml similarity index 55% rename from network/detection/Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml rename to network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml index d052aa87422..04db110a5e0 100644 --- a/network/detection/Allen-Bradley/Allen_Bradley_GuardPLC_enip-cip_detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml @@ -1,38 +1,42 @@ -id: Allen_Bradley_GuardPLC_enip-cip_detect +id: allen-bradley-guardplc-detect info: - name: Allen_Bradley_GuardPLC_enip-cip_detected + name: Allen-Bradley GuardPLC Series PLC - Detect author: biero-el-corridor severity: info description: | - detect Allen Bradley GuardPLC series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template). + Detected Allen-Bradley (Rockwell Automation) GuardPLC series PLCs by identifying 1753-, 1754-, and 1755- model prefixes via the EtherNet/IP CIP protocol over port 44818. GuardPLC is a safety-rated PLC family designed for safety-critical industrial automation and SIS applications. metadata: max-request: 2 vendor: Allen_Bradley product: GuardPLC_series - shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley" + shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' tags: ICS,Allen_Bradley,GuardPLC_series tcp: - - host: - - "{{Host}}:44818" - inputs: + - inputs: - data: "630000000000000000000000000000000000000000000000" type: hex read: 200 name: info + host: + - "{{Hostname}}" + port: 44818 read-size: 1024 + matchers-condition: or matchers: - type: binary part: info binary: - "313735332d" # 1753 + - type: binary part: info binary: - "313735342d" # 1754 + - type: binary part: info binary: diff --git a/network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml new file mode 100644 index 00000000000..570e054ac76 --- /dev/null +++ b/network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml @@ -0,0 +1,29 @@ +id: allen-bradley-micro800-detect + +info: + name: Allen-Bradley Micro800 Series PLC - Detect + author: biero-el-corridor + severity: info + description: | + Detected Allen-Bradley (Rockwell Automation) Micro800 series PLCs by identifying the 2080- model prefix via the EtherNet/IP CIP protocol over port 44818. The Micro800 series is a compact PLC family widely used in industrial automation and control systems. + metadata: + shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' + tags: ics,Allen_Bradley,Micro800_series + +tcp: + - inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + host: + - "{{Hostname}}" + port: 44818 + read-size: 1024 + + matchers: + - type: binary + part: info + binary: + - "323038302d" \ No newline at end of file diff --git a/network/detection/ics/allen-bradley/allen-bradley-micrologix-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-micrologix-detect.yaml new file mode 100644 index 00000000000..127b554979b --- /dev/null +++ b/network/detection/ics/allen-bradley/allen-bradley-micrologix-detect.yaml @@ -0,0 +1,34 @@ +id: allen-bradley-micrologix-detect + +info: + name: Allen-Bradley MicroLogix Series PLC - Detect + author: biero-el-corridor + severity: info + description: | + Detected Allen-Bradley (Rockwell Automation) MicroLogix series PLCs by identifying the 1761-, 1762-, 1763-, 1764-, and 1766- model prefixes via the EtherNet/IP CIP protocol over port 44818.The MicroLogix series includes compact PLCs such as the 1100, 1400, and 1500, widely used in industrial automation and control systems. + metadata: + shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' + tags: ics,allen-bradley,micrologix,detect,network,tcp + +tcp: + - inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + host: + - "{{Hostname}}" + port: 44818 + read-size: 1024 + + matchers: + - type: binary + part: info + binary: + - "313736312d" # 1761- (1761: Fixed I/O, entry-level controllers) + - "313736322d" # 1762- (1762: Similar to 1761 but with expansion capabilities) + - "313736332d" # 1763- (1763: MicroLogix 1100 series) + - "313736342d" # 1764- (1764: MicroLogix 1400 series) + - "313736362d" # 1766- (1766: MicroLogix 1500 series) + condition: or \ No newline at end of file diff --git a/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml new file mode 100644 index 00000000000..1f463f49014 --- /dev/null +++ b/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml @@ -0,0 +1,35 @@ +id: allen-bradley-plc5-detect + +info: + name: Allen-Bradley PLC-5 Series PLC - Detect + author: biero-el-corridor + severity: info + description: | + Detected Allen-Bradley (Rockwell Automation) PLC-5 series PLCs by identifying the 1771-, 1772-, and 1785- model prefixes via the EtherNet/IP CIP protocol over port 44818. + metadata: + max-request: 2 + vendor: Allen_Bradley + product: PLC-5_series + shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' + tags: ics,Allen_Bradley,PLC-5_series + +tcp: + - inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + host: + - "{{Hostname}}" + port: 44818 + read-size: 1024 + + matchers: + - type: binary + part: info + binary: + - "313737312d" # 1771 + - "313737322d" # 1772 + - "313738352d" # 1785- https://www.ideadigitalcontent.com/files/11994/ID-SPE-1785-sg001_-en-p.pdf + condition: or \ No newline at end of file diff --git a/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml new file mode 100644 index 00000000000..e342802a65a --- /dev/null +++ b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml @@ -0,0 +1,34 @@ +id: allen-bradley-slc-500-detect + +info: + name: Allen-Bradley SLC-500 Series PLC - Detect + author: biero-el-corridor + severity: info + description: | + Detected Allen-Bradley (Rockwell Automation) SLC-500 series PLCs by identifying the 1746- and 1747- model prefixes via the EtherNet/IP CIP protocol over port 44818. The SLC-500 series is a legacy but still widely deployed PLC family used in industrial automation and control systems. + metadata: + max-request: 2 + vendor: Allen_Bradley + product: SLC-500_series + shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' + tags: ics,Allen_Bradley,SLC-500_series + +tcp: + - inputs: + - data: "630000000000000000000000000000000000000000000000" + type: hex + read: 200 + name: info + + host: + - "{{Hostname}}" + port: 44818 + read-size: 1024 + + matchers: + - type: binary + part: info + binary: + - "313734362d" # 1746- + - "313737322d" # 1747- + condition: or \ No newline at end of file diff --git a/network/detection/ics/red-lion-enip-detect.yaml b/network/detection/ics/red-lion-enip-detect.yaml new file mode 100644 index 00000000000..f9bdc38ff8f --- /dev/null +++ b/network/detection/ics/red-lion-enip-detect.yaml @@ -0,0 +1,35 @@ +id: red-lion-enip-detect + +info: + name: Red Lion ENIP - Detect + author: biero-el-corridor + severity: info + description: | + Detects Red Lion industrial control devices by sending Ethernet/IP (ENIP) protocol requests to port 789 and identifying devices that respond with "Red Lion Controls" in their response. This template can be used to discover and fingerprint Red Lion devices on industrial networks. + metadata: + max-request: 2 + vendor: Schneider + product: Modicon340 + tags: ics,redlion,detect,network,tcp + +tcp: + - inputs: + - data: "0004012b1b00" + type: hex + read: 200 + name: info + - data: "0004012a1a00" + type: hex + read: 200 + name: note + + host: + - "{{Hostname}}" + port: 502 + read-size: 1024 + + matchers: + - type: binary + part: info + binary: + - "526564204c696f6e20436f6e74726f6c73" # Red Lion Controls \ No newline at end of file diff --git a/network/detection/ics/schneider-modicon/schneider-modicon-340-detect.yaml b/network/detection/ics/schneider-modicon/schneider-modicon-340-detect.yaml new file mode 100644 index 00000000000..bc4bae50f0c --- /dev/null +++ b/network/detection/ics/schneider-modicon/schneider-modicon-340-detect.yaml @@ -0,0 +1,40 @@ +id: schneider-modicon-340-detect + +info: + name: Schneider Electric Modicon 340 Series PLC - Detect + author: biero-el-corridor + severity: info + description: | + Detected Schneider Electric Modicon 340 series PLCs by identifying the BMX P34 signature via the UMAS protocol over Modbus TCP (port 502).The Modicon 340 series is part of Schneider Electric’s industrial automation product line used in Industrial Control Systems (ICS). + metadata: + verified: true + shodan-query: port:502 "P34" + tags: ics,schenider,modicon,detect,network + +tcp: + - inputs: + - data: "000000000005002b0e0200" + type: hex + read: 200 + name: info + - data: "000100000004005a0002" + type: hex + read: 200 + name: note + + host: + - "{{Hostname}}" + port: 502 + read-size: 1024 + + matchers-condition: and + matchers: + - type: word + part: note + words: + - "BMX P34" + + - type: word + part: info + words: + - "Schneider Electric" diff --git a/network/detection/ics/schneider-modicon/schneider-modicon-580-detect.yaml b/network/detection/ics/schneider-modicon/schneider-modicon-580-detect.yaml new file mode 100644 index 00000000000..881837933db --- /dev/null +++ b/network/detection/ics/schneider-modicon/schneider-modicon-580-detect.yaml @@ -0,0 +1,41 @@ +id: schneider-modicon-580-detect + +info: + name: Schneider Electric Modicon 580 Series PLC - Detect + author: biero-el-corridor + severity: info + description: | + Detected Schneider Electric Modicon 580 series PLCs by identifying the BME P58 signature via the UMAS protocol over Modbus TCP (port 502).The Modicon 580 series is part of Schneider Electric’s industrial automation product line used in Industrial Control Systems (ICS). + metadata: + verified: true + max-request: 2 + shodan-query: port:502 "P58" + tags: ics,schenider,modicon,detect,network + +tcp: + - inputs: + - data: "000000000005002b0e0200" + type: hex + read: 200 + name: info + - data: "000100000004005a0002" + type: hex + read: 200 + name: note + + host: + - "{{Hostname}}" + port: 502 + read-size: 1024 + + matchers-condition: and + matchers: + - type: word + part: note + words: + - "BME P58" + + - type: word + part: info + words: + - "Schneider Electric" \ No newline at end of file diff --git a/network/enumeration/modicon-info.yaml b/network/enumeration/modicon-info.yaml index 914e76eca7b..16b59780c24 100644 --- a/network/enumeration/modicon-info.yaml +++ b/network/enumeration/modicon-info.yaml @@ -1,22 +1,20 @@ id: modicon_info info: - name: modicon_info + name: Schneider Modicon PLC Information Disclosure author: biero-el-corridor severity: info description: | - Grab info on the Modicon PLC. + Detected Schneider Electric Modicon PLCs via the Modbus TCP protocol by extracting device identification information.Extracted the device model and version from responses on port 502 for fingerprinting and ICS vulnerability assessment. metadata: - max-request: 2 + verified: true vendor: Schneider product: Modicon shodan-query: "Device Identification: Schneider Electric" - tags: ICS,modicon,schneider + tags: ics,modicon,schneider,detect,network,tcp tcp: - - host: - - "{{Host}}:502" - inputs: + - inputs: - data: "000000000005002b0e0200" type: hex read: 200 @@ -25,19 +23,24 @@ tcp: type: hex read: 200 name: note - inputs: - data: "000400000005005a000300" type: hex read: 200 name: info - + + host: + - "{{Hostname}}" + port: 502 read-size: 1024 + matchers: - - type: binary - part: info - binary: - - "5363686e656964657220456c65" - - type: binary - part: note - binary: - - "5363686e656964657220456c65" + - type: word + part: raw + words: + - "Schneider Electric" + + extractors: + - type: regex + group: 1 + regex: + - "Schneider Electric ([A-Z 0-9a-z.]+)" \ No newline at end of file diff --git a/network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml b/network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml deleted file mode 100644 index e08cee2b561..00000000000 --- a/network/honeypot/Ethernet_IP_CIP_conpot_default_config.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: Detect_defaul_config_cpppo_EthernetIP_CIP_honeypot - -info: - name: Detect default configuration for CPPPO honeypot - author: biero-el-corridor - severity: info - description: | - Default configuration of the CPPPO python Ethernet/IP CIP parser. - metadata: - max-request: 2 - vendor: alan bradley - product: Ethernet/IP CIP - tags: ICS,CIP,honeypot - -tcp: - - host: - - "{{Hostname}}" - - "{{Host}}:44818" - inputs: - - data: "63000000000000000000000000000000c1debed100000000" - type: hex - - read-size: 1024 - matchers: - - type: binary - binary: - - "63003c00000000000000000000000000c1debed10000000001000c00360001000002af1200000000000000000000000001000e003600140b60311a066c0014313735362d4c36312f42204c4f47495835353631ff" diff --git a/network/honeypot/cpppo-ethernetip-cip-honeypot.yaml b/network/honeypot/cpppo-ethernetip-cip-honeypot.yaml new file mode 100644 index 00000000000..4e260c0283d --- /dev/null +++ b/network/honeypot/cpppo-ethernetip-cip-honeypot.yaml @@ -0,0 +1,27 @@ +id: cpppo-ethernetip-cip-honeypot + +info: + name: CPPPO Ethernet/IP CIP Honeypot Default Configuration - Detect + author: biero-el-corridor + severity: info + description: | + Detected devices responding with the default configuration signature of the CPPPO (Python-based) Ethernet/IP CIP parser honeypot.This indicates systems likely running the default Conpot honeypot configuration for ICS using the Common Industrial Protocol (CIP) over Ethernet/IP. + reference: + - https://github.com/claroty/enip-stack-detector + tags: ics,cip,honeypot,network,tcp + +tcp: + - inputs: + - data: "63000000000000000000000000000000c1debed100000000" + type: hex + + host: + - "{{Hostname}}" + port: 44818 + read-size: 1024 + + matchers: + - type: word + part: info + words: + - "63003c00000000000000000000000000c1debed10000000001000c00360001000002af1200000000000000000000000001000e003600140b60311a066c0014313735362d4c36312f42204c4f47495835353631ff" \ No newline at end of file diff --git a/network/honeypot/snap7_honeypot_default_config.yaml b/network/honeypot/snap7-honeypot-default-config.yaml similarity index 62% rename from network/honeypot/snap7_honeypot_default_config.yaml rename to network/honeypot/snap7-honeypot-default-config.yaml index 4936c8f0df4..1afb1df44b1 100644 --- a/network/honeypot/snap7_honeypot_default_config.yaml +++ b/network/honeypot/snap7-honeypot-default-config.yaml @@ -1,22 +1,18 @@ -id: detect-defaul-config-honeypot-snap7 +id: snap7-honeypot-default-config info: - name: detect default configurations for snap7 honeypot + name: Snap7 Honeypot Default Configuration - Detect author: biero-el-corridor severity: info description: | - Default configurations of the snap7 python parser. - metadata: - max-request: 2 - vendor: Snap7 - product: s7comm - tags: ICS,s7comm,honeypot + Detected honeypot instances using default snap7 (S7comm protocol) configurations by analyzing response patterns to S7comm requests.These signatures indicate systems likely running in research or security testing environments rather than production ICS. + reference: + - https://github.com/sefcom/honeyplc + - https://medium.com/@biero-llagas/simple-use-of-the-python-snap7-lib-now-with-real-honeypot-11a2979baaf0 + tags: ics,s7comm,detect,honeypot,network,network,tcp tcp: - - host: - - "{{Hostname}}" - - "{{Host}}:102" - inputs: + - inputs: - data: "0300001611e00000001400c1020100c2020102c0010a" type: hex - data: "0300001902f08032010000000000080000f0000001000101e0" @@ -26,9 +22,13 @@ tcp: - data: "0300002102f080320700000000000800080001120411440100ff09000400110001" type: hex - data: "0300002102f080320700000000000800080001120411440100ff090004001c0001" + type: hex - + host: + - "{{Hostname}}" + port: 102 read-size: 512 + matchers: - type: binary binary: From e4b951189109f2657ca99e206b7ffa6b1d2bcc32 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 16 Dec 2025 02:14:39 +0530 Subject: [PATCH 03/11] removed - Duplicate --- network/detection/Red_Lion_enip_detect.yaml | 33 --------------------- 1 file changed, 33 deletions(-) delete mode 100644 network/detection/Red_Lion_enip_detect.yaml diff --git a/network/detection/Red_Lion_enip_detect.yaml b/network/detection/Red_Lion_enip_detect.yaml deleted file mode 100644 index 6c0e15bf994..00000000000 --- a/network/detection/Red_Lion_enip_detect.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: Red_Lion_enip_detect - -info: - name: Red_Lion_enip_detect - author: biero-el-corridor - severity: info - description: | - detect Red Lion (shodan query: port:789 "Red Lion Controls"). - metadata: - max-request: 2 - vendor: Schneider - product: Modicon340 - tags: ICS,RedLion - -tcp: - - host: - - "{{Host}}:789" # ENIP Port - inputs: - - data: "0004012b1b00" - type: hex - read: 200 - name: info - - data: "0004012a1a00" - type: hex - read: 200 - name: note - - read-size: 1024 - matchers: - - type: binary - part: info - binary: - - "526564204c696f6e20436f6e74726f6c73" # Red Lion Controls From e043936d17c9d9f55ff95b93f976207429bd4534 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 16 Dec 2025 02:25:12 +0530 Subject: [PATCH 04/11] Update snap7-honeypot-default-config.yaml --- network/honeypot/snap7-honeypot-default-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/network/honeypot/snap7-honeypot-default-config.yaml b/network/honeypot/snap7-honeypot-default-config.yaml index 1afb1df44b1..25027d95831 100644 --- a/network/honeypot/snap7-honeypot-default-config.yaml +++ b/network/honeypot/snap7-honeypot-default-config.yaml @@ -7,8 +7,8 @@ info: description: | Detected honeypot instances using default snap7 (S7comm protocol) configurations by analyzing response patterns to S7comm requests.These signatures indicate systems likely running in research or security testing environments rather than production ICS. reference: - - https://github.com/sefcom/honeyplc - - https://medium.com/@biero-llagas/simple-use-of-the-python-snap7-lib-now-with-real-honeypot-11a2979baaf0 + - https://github.com/sefcom/honeyplc + - https://medium.com/@biero-llagas/simple-use-of-the-python-snap7-lib-now-with-real-honeypot-11a2979baaf0 tags: ics,s7comm,detect,honeypot,network,network,tcp tcp: @@ -32,4 +32,4 @@ tcp: matchers: - type: binary binary: - - "0300001611d00014000100c1020100c2020102c0010a0300001b02f080320300000000000800000000f0000001000101e00300009902f080320700000000000c007c000112081284010000000000ff09007800110000001c0004000136455337203331352d32454831342d304142302000c000040001000636455337203331352d32454831342d304142302000c0000400010007202020202020202020202020202020202020202000c0560302060081426f6f74204c6f61646572202020202020202020000041200909" \ No newline at end of file + - "0300001611d00014000100c1020100c2020102c0010a0300001b02f080320300000000000800000000f0000001000101e00300009902f080320700000000000c007c000112081284010000000000ff09007800110000001c0004000136455337203331352d32454831342d304142302000c000040001000636455337203331352d32454831342d304142302000c0000400010007202020202020202020202020202020202020202000c0560302060081426f6f74204c6f61646572202020202020202020000041200909" From 1ac92d7b0968eadc98374e20f3e4e72a132894b8 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 16 Dec 2025 02:26:25 +0530 Subject: [PATCH 05/11] Update allen-bradley-slc-500-detect.yaml --- .../ics/allen-bradley/allen-bradley-slc-500-detect.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml index e342802a65a..50eeffa45ea 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml @@ -11,7 +11,7 @@ info: vendor: Allen_Bradley product: SLC-500_series shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' - tags: ics,Allen_Bradley,SLC-500_series + tags: ics,allen_bradley,slc-500 tcp: - inputs: @@ -31,4 +31,4 @@ tcp: binary: - "313734362d" # 1746- - "313737322d" # 1747- - condition: or \ No newline at end of file + condition: or From 10f78b2c35cc6d5a4bba3d0722c3262a98ce90f4 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 16 Dec 2025 02:31:41 +0530 Subject: [PATCH 06/11] tags - update --- .../ics/allen-bradley/allen-bradley-guardplc-detect.yaml | 2 +- .../ics/allen-bradley/allen-bradley-micro800-detect.yaml | 2 +- .../detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml | 2 +- .../ics/allen-bradley/allen-bradley-slc-500-detect.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml index 04db110a5e0..96fa41ddd41 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml @@ -11,7 +11,7 @@ info: vendor: Allen_Bradley product: GuardPLC_series shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' - tags: ICS,Allen_Bradley,GuardPLC_series + tags: ics,allen-bradley,guardplc,detect,network,tcp tcp: - inputs: diff --git a/network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml index 570e054ac76..a546d0f1d6c 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml @@ -8,7 +8,7 @@ info: Detected Allen-Bradley (Rockwell Automation) Micro800 series PLCs by identifying the 2080- model prefix via the EtherNet/IP CIP protocol over port 44818. The Micro800 series is a compact PLC family widely used in industrial automation and control systems. metadata: shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' - tags: ics,Allen_Bradley,Micro800_series + tags: ics,allen-bradley,micro800,detect,network,tcp tcp: - inputs: diff --git a/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml index 1f463f49014..cfe6e68e821 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml @@ -11,7 +11,7 @@ info: vendor: Allen_Bradley product: PLC-5_series shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' - tags: ics,Allen_Bradley,PLC-5_series + tags: ics,allen-bradley,plc-5,detect,network,tcp tcp: - inputs: diff --git a/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml index e342802a65a..3aebaac3300 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml @@ -11,7 +11,7 @@ info: vendor: Allen_Bradley product: SLC-500_series shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' - tags: ics,Allen_Bradley,SLC-500_series + tags: ics,allen-bradley,slc-500,detect,network,tcp tcp: - inputs: From df92a2d40a0eaf30401ccc8f2fff879c4bfc8f5d Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 25 Dec 2025 22:04:54 +0530 Subject: [PATCH 07/11] Update allen-bradley-guardplc-detect.yaml --- .../ics/allen-bradley/allen-bradley-guardplc-detect.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml index 96fa41ddd41..d37099f9d1a 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml @@ -7,9 +7,6 @@ info: description: | Detected Allen-Bradley (Rockwell Automation) GuardPLC series PLCs by identifying 1753-, 1754-, and 1755- model prefixes via the EtherNet/IP CIP protocol over port 44818. GuardPLC is a safety-rated PLC family designed for safety-critical industrial automation and SIS applications. metadata: - max-request: 2 - vendor: Allen_Bradley - product: GuardPLC_series shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' tags: ics,allen-bradley,guardplc,detect,network,tcp @@ -40,4 +37,4 @@ tcp: - type: binary part: info binary: - - "313735352d" # 1755 \ No newline at end of file + - "313735352d" # 1755 From 891b8773ce3735caa34d6c9b1ec21fcd07cfd241 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 25 Dec 2025 22:05:21 +0530 Subject: [PATCH 08/11] Update allen-bradley-plc5-detect.yaml --- .../ics/allen-bradley/allen-bradley-plc5-detect.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml index cfe6e68e821..7118fc86cd8 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml @@ -7,9 +7,6 @@ info: description: | Detected Allen-Bradley (Rockwell Automation) PLC-5 series PLCs by identifying the 1771-, 1772-, and 1785- model prefixes via the EtherNet/IP CIP protocol over port 44818. metadata: - max-request: 2 - vendor: Allen_Bradley - product: PLC-5_series shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' tags: ics,allen-bradley,plc-5,detect,network,tcp @@ -32,4 +29,4 @@ tcp: - "313737312d" # 1771 - "313737322d" # 1772 - "313738352d" # 1785- https://www.ideadigitalcontent.com/files/11994/ID-SPE-1785-sg001_-en-p.pdf - condition: or \ No newline at end of file + condition: or From 5a09892484528197fa853a06e46c044a3cf634ac Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 25 Dec 2025 22:05:39 +0530 Subject: [PATCH 09/11] Update allen-bradley-slc-500-detect.yaml --- .../ics/allen-bradley/allen-bradley-slc-500-detect.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml index b585b94b42e..cd702a7cec4 100644 --- a/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml +++ b/network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml @@ -7,9 +7,6 @@ info: description: | Detected Allen-Bradley (Rockwell Automation) SLC-500 series PLCs by identifying the 1746- and 1747- model prefixes via the EtherNet/IP CIP protocol over port 44818. The SLC-500 series is a legacy but still widely deployed PLC family used in industrial automation and control systems. metadata: - max-request: 2 - vendor: Allen_Bradley - product: SLC-500_series shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"' tags: ics,allen-bradley,slc-500,detect,network,tcp From e0a8b5623dec81f1a9e353f2c0e6e4fb746c6573 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 25 Dec 2025 22:13:03 +0530 Subject: [PATCH 10/11] Update red-lion-enip-detect.yaml --- network/detection/ics/red-lion-enip-detect.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/network/detection/ics/red-lion-enip-detect.yaml b/network/detection/ics/red-lion-enip-detect.yaml index f9bdc38ff8f..7c7c36f5e19 100644 --- a/network/detection/ics/red-lion-enip-detect.yaml +++ b/network/detection/ics/red-lion-enip-detect.yaml @@ -8,8 +8,6 @@ info: Detects Red Lion industrial control devices by sending Ethernet/IP (ENIP) protocol requests to port 789 and identifying devices that respond with "Red Lion Controls" in their response. This template can be used to discover and fingerprint Red Lion devices on industrial networks. metadata: max-request: 2 - vendor: Schneider - product: Modicon340 tags: ics,redlion,detect,network,tcp tcp: @@ -32,4 +30,4 @@ tcp: - type: binary part: info binary: - - "526564204c696f6e20436f6e74726f6c73" # Red Lion Controls \ No newline at end of file + - "526564204c696f6e20436f6e74726f6c73" # Red Lion Controls From 4d904a41e6b579b6ab136580d979bb96b63f254a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 25 Dec 2025 22:13:43 +0530 Subject: [PATCH 11/11] Update modicon-info.yaml --- network/enumeration/modicon-info.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/network/enumeration/modicon-info.yaml b/network/enumeration/modicon-info.yaml index 16b59780c24..1844fb361c5 100644 --- a/network/enumeration/modicon-info.yaml +++ b/network/enumeration/modicon-info.yaml @@ -1,4 +1,4 @@ -id: modicon_info +id: modicon-info info: name: Schneider Modicon PLC Information Disclosure @@ -8,8 +8,6 @@ info: Detected Schneider Electric Modicon PLCs via the Modbus TCP protocol by extracting device identification information.Extracted the device model and version from responses on port 502 for fingerprinting and ICS vulnerability assessment. metadata: verified: true - vendor: Schneider - product: Modicon shodan-query: "Device Identification: Schneider Electric" tags: ics,modicon,schneider,detect,network,tcp @@ -43,4 +41,4 @@ tcp: - type: regex group: 1 regex: - - "Schneider Electric ([A-Z 0-9a-z.]+)" \ No newline at end of file + - "Schneider Electric ([A-Z 0-9a-z.]+)"