Built-in checks
Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.
| Type ID | Name | Security Profile | Risk | Details | Product Versions | Trace |
|---|---|---|---|---|---|---|
| SIGN:CLEARTEXT-PASSWORD | Cleartext password | MEDIUM | 7 |
A cleartext password has been issued or requested. Consider to update to secure communication or evaluate the risks of having this data exposed on the network. |
Guardian 19.0.0 | YES |
| SIGN:CONFIGURATION-CHANGE | Configuration change | MEDIUM | 6 |
A changed configuration has been uploaded to the OT device. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to disrupt the normal behavior of the system. Verify the device configuration and status. |
Guardian 18.0.0 | YES |
| SIGN:CPE:CHANGE | CPE change | LOW | 0 |
An installed software change has been detected. The change relates to the vulnerabilities list, possibly changing it. Verify the device configuration and status, and the reason behind the software change. |
Guardian 18.0.0 | YES |
| SIGN:DEV-STATE-CHANGE | Device state change | MEDIUM | 7 |
A command that can alter the device state has been detected. Examples are a request of reset of processor's memory, and technology-specific cases. Verify the device configuration and status, and the reason behind the command. |
Guardian 18.0.0 | YES |
| SIGN:DUALUSE-DETECTED | DUALUSE detection | MEDIUM | 5 |
Suspicious transfer of Dual Use Application (DUALUSE) named. Verify the usage of the application and, if malicious, cleanup the victim, and block or cleanup also the attacker. |
Guardian 23.3.0 | NO |
| SIGN:DUALUSE-DOMAIN | DUALUSE domain | MEDIUM | 4 |
A DNS query towards a suspicious domain has been detected. Investigate on the health status of the involved nodes. |
Guardian 24.0.0 | NO |
| SIGN:DUALUSE-IP | DUALUSE IP | MEDIUM | 4 |
A node with a suspicious IP has been detected. Validate the health status of the communicating nodes, as they may be infected by some malware. |
Guardian 24.0.0 | YES |
| SIGN:DUALUSE-URL | DUALUSE URL | MEDIUM | 5 |
A request towards a suspicious URL has been detected. Investigate on the health status of the involved nodes. |
Guardian 24.0.0 | YES |
| SIGN:FIRMWARE-TRANSFER | Firmware transfer | HIGH | 6 |
A firmware has been transferred to the device. This can be a legitimate operation during maintenance or an unauthorized attempt to change the behaviour of the device. Verify the device configuration and status, and the possible presence of malicious actors. |
Guardian 19.0.0 | YES |
| SIGN:INFORMATION-GATHERING | Information gathering | PARANOID | 6 |
Sensitive information has been transferred between an OT Device (e.g. an IED) and a workstation / local SCADA. This can be a legitimate troubleshooting operation or an unauthorized attempt to extract some device information. Investigate on the actor that has initiated the transfer and on the transferred information. |
Guardian 24.1.0 | YES |
| SIGN:MALICIOUS-DOMAIN | Malicious domain | LOW | 8 |
A DNS query towards a malicious domain has been detected. Investigate on why this domain has been contacted and consider to ban it from your network. |
Guardian 19.0.0 | YES |
| SIGN:MALICIOUS-HID | Malicious USB device | LOW | 10 |
Suspicious behaviour detected in a device announcing itself as Human Interface Device (HID). It may be compromised, including malicious software running on it and performing dangerous actions targeting the main system it is connected to. Disconnect the Human Interface Device (HID) and inspect it carefully, it might have an miniature embedded chip inside. Find the root cause of the unexpected behavior. |
Arc 1.0 | NO |
| SIGN:MALICIOUS-IP | Bad ip reputation | LOW | 8 |
A node with a bad reputation IP has been found. Investigate on why this IP has been contacted and consider to ban it from your network. |
Guardian 19.0.0 | YES |
| SIGN:MALICIOUS-URL | Malicious URL | LOW | 7 |
A request towards a malicious URL has been detected. Investigate on why this URL has been contacted and consider to ban it from your network. |
Guardian 19.0.0 | YES |
| SIGN:MALWARE-DETECTED | Malware detection | LOW | 9 |
A potentially malicious payload has been transferred. Investigate on the malware source and infected device, and consider to remove the file. |
Guardian 18.0.0 | NO |
| SIGN:MITM | MITM attack | LOW | 10 |
A potential MITM attack has been detected. The attacker is ARP-poisoning the victims. The attacker node could alter the communication between its victims. Investigate on the network configuration and the possible presence of malicious actors. |
Guardian 20.0.5 | NO |
| SIGN:OT_DEVICE-REBOOT | OT device reboot request | HIGH | 6 |
An OT device program has been requested to reboot (e.g. by the engineering workstation). This may be something due to Engineering operations, for instance the maintenance of the program itself or a system updates. However, it may indicate suspicious activity from an attacker trying to manipulate the device execution. Investigate on the network configuration and the possible presence of malicious actors. |
Guardian 18.0.0 | YES |
| SIGN:OT_DEVICE-START | OT device start request | HIGH | 6 |
An OT device program has been requested to start (e.g. by the engineering workstation). This may be something due to Engineering operations, for instance the maintenance of the program itself or a system updates. However, it may indicate suspicious activity from an attacker trying to manipulate the device execution. Investigate on the network configuration and the possible presence of malicious actors. |
Guardian 18.0.0 | YES |
| SIGN:OT_DEVICE-STOP | OT device stop request | HIGH | 9 |
An OT device program has been requested to stop (e.g. by the engineering workstation). This may be something due to Engineering operations, for instance the maintenance of the program itself or a system updates. However, it may indicate suspicious activity from an attacker trying to manipulate the device execution. Investigate on the network configuration and the possible presence of malicious actors. |
Guardian 18.0.0 | YES |
| SIGN:OUTBOUND-CONNECTIONS | High rate of outbound connections | LOW | 9 |
A host has shown a sudden increase of outbound connections. This could be due to the presence of a malware. Investigate on the reason behind such connections to the outside on the device, and consider to update the network configuration to prevent them. |
Guardian 21.0.0 | YES |
| SIGN:PACKET-RULE | Packet rule match | LOW | 9 |
A packet has matched a Packet rule. Verify the device configuration and status, and the possible presence of malicious actors. |
Threat Intelligence | YES |
| SIGN:PASSWORD:WEAK | Weak password | HIGH | 5 |
A weak password, possibly default, has been used to access a resource. Consider to update your passwords. |
Guardian 18.5.0 | YES |
| SIGN:PROGRAM:CHANGE | Program change | MEDIUM | 6 |
A changed program has been uploaded to the OT device. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to disrupt the normal behavior of the system. Verify the device configuration and status, and the possible presence of malicious actors. |
Guardian 18.0.0 | YES |
| SIGN:PROGRAM:TRANSFER | Program transfer | HIGH | 6 |
A program has been transferred between an OT Device (e.g. an IED) and a workstation / local SCADA. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized attempt to read the program logic. Investigate on the entity that has initiated the transfer and on the program content. |
Guardian 18.0.0 | YES |
| SIGN:PUA-DETECTED | PUA detection | MEDIUM | 5 |
A potentially unwanted application payload (PUA) has been transferred. This is normally less dangerous than a malware payload. Investigate on the malware source and infected device, and consider to remove the payload. |
Guardian 20.0.6 | NO |
| SIGN:PUA-DOMAIN | PUA domain | MEDIUM | 4 |
A DNS query towards a suspicious domain has been detected. Investigate on the health status of the involved nodes. |
Guardian 24.0.0 | NO |
| SIGN:PUA-IP | PUA IP | MEDIUM | 4 |
A node with a suspicious IP has been detected. Validate the health status of the communicating nodes, as they may be infected by some malware. |
Guardian 24.0.0 | YES |
| SIGN:PUA-URL | PUA URL | MEDIUM | 5 |
A request towards a suspicious URL has been detected. Investigate on the health status of the involved nodes. |
Guardian 24.0.0 | YES |
| SIGN:SIGMA-RULE | Sigma rule match | LOW | 9 |
Rule-dependent. A suspicious local event has been detected on a machine. Rule-dependent. Verify the device configuration and status, and the possible presence of malicious processes. |
Arc 1.0, Threat Intelligence | YES |
| SIGN:SUSP-TIME | Suspicious time value | HIGH | 7 |
A suspicious time has been observed in the network. There could be a malfunctioning device or a packet injection. Verify the device configuration and status. |
Guardian 20.0.0 | YES |
| SIGN:USB-DEVICE | New USB device plugged | PARANOID | 6 |
This is most likely a human driven event. USB devices might be a physical infiltration vector carrying files with malicious behaviour. Check the device nature and its content. |
Arc 1.0 | NO |
| SIGN:USB-FILE-TRANSFER | USB file transfer | HIGH | 6 |
A user or operator has connected a USB device and transferred data, or a script might have initiated the operation. Verify whether the operation is permitted. |
Arc 1.9 | NO |
| SIGN:WEAK-ENCRYPTION | Weak encryption | PARANOID | 6 |
The communication has been encrypted using an obsolete cryptographic protocol, weak cipher suites or invalid certificates. Consider to update to more secure algorithms or evaluate the risks of having this technology still used on the netowrk. |
Guardian 19.0.5 | YES |
| SIGN:WIFI:DEAUTH | Deauth Attack | LOW | 7 |
The 802.11 family of standards (also known as WiFi) includes a way for Access Points to disconnect clients through specific packets. However, this management functionality allows attackers to disrupt WiFi networks easily. More recent 802.11 Access Points and devices support the 802.11w extension, which makes client deauthentication and disassociation available only from real Access Points governing those clients. Check with your Access Point configuration if such extension is available, and enable it. |
Guardian Air 1.0.1 | YES |
| SIGN:WIFI:SSID-XSS-INJECTION | SSID XSS injection attempt | LOW | 5 |
An attacker may be aware that a wireless-enabled device is flawed by an XSS vulnerability in its web interface, and they are trying to leverage this issue to get execution of arbitrary HTML/JavaScript code. If successful, in the worst case, this can lead to full device compromise and network penetration. Typically, exploiting these vulnerabilities requires user interaction. For example, the vulnerable web application must be accessed through a web browser. Advise your personnel to avoid browsing web applications related to wireless devices until the rogue SSID has been taken down. |
Guardian Air 1.0.1 | YES |
| SIGN:WIRELESS:INJECTION | Sospected wireless packet injection | LOW | 5 |
A wireless packet that looks to have been injected by an attacker has been captured. Check the surroundings of the involved assets and its wireless network. |
Guardian Air 1.0.1 | YES |
| SIGN:WIRELESS:SUSPICIOUS | Suspicious wireless activity | LOW | 5 |
A wireless suspicious packet has been captured. Something does not look as it should according to the protocol or specifications. Check the involved assets and wireless network. |
Guardian Air 1.0.1 | YES |
| SIGN:WIRELESS:VIOLATION-RULES | Wireless packet violating rules | LOW | 5 |
A wireless packet that is not complying to protocol rules has been captured on the network. Check that the involved assets have not been compromised. |
Guardian Air 1.0.1 | YES |