Skip to content

Latest commit

 

History

History
60 lines (41 loc) · 5.65 KB

README.md

File metadata and controls

60 lines (41 loc) · 5.65 KB

ICS Tools - Analysis

Developed as a community asset

Analysis

Firmware

Logs

  • Plaso - Log2timeline - log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.

Malware

  • YARA - YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
  • Volatility - The Volatility Framework is a completely open collection of tools,implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
  • OPC Data Access IDAPython script - An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol. It can be used to analyse such malware families as Havex RAT and Win32/Industroyer.
  • FLARE VM - FLARE VM is a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
  • Control Things Tools Bin - The goal of ctbin is to become the security professional’s Swiss army knife for analyzing binary files.

Network

  • GRASSMARLIN - GRASSMARLIN provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks to support network security. Passively map, and visually display, an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems.
  • ARMORE - ARMORE was developed to be an open-source software solution that will aid asset owners by increasing visibility, securing communications, and inspecting ICS communications for behavior that is not intended. Built around Bro and Linux.
  • EDMAND - EDMAND Anomaly detection framework. Built around Bro.
  • AIUS - AIUS Repository (EDMAND/CAPTAR combination). Built around Bro.
  • ML NIDS For ICS - Machine learning techniques for Intrusion Detection in SCADA Systems.
  • Malcolm - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
  • Flare - An analytical framework for network traffic and behavioral analytics
  • Skydive - An open source real-time network topology and protocols analyzer
  • Zeek Goose Protocol Parser - A Zeek GOOSE parser has been developed to enable detailed analysis of the transmitted data and allow rule-based identification of anomalies related to cybersecurity attacks. It is compatible with an older instance of Zeek Network Security Monitor (v2.6).

Protocols

  • TruffleHog - A network analysis tool that works together with snort to visually represent a PROFINET network graph.

Reverse Engineering

  • Binwalk - Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  • ANGR - A powerful and user-friendly binary analysis platform.
  • Floss - FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.

Symbolic Execution

  • SymCC - SymCC: efficient compiler-based symbolic execution

Samples

  • Trisis/Triton/Hatman - Repository containing original and decompiled files of TRISIS/TRITON/HATMAN malware

(creative commons license)