Adversaries may leverage IEC-104 protocol strings to establish covert communication channels within industrial control systems. SOC teams should proactively hunt for this behavior to identify potential exfiltration or command-and-control activities in their Azure Sentinel environment.
YARA Rule
rule dragos_crashoverride_moduleStrings {
meta:
description = "IEC-104 Interaction Module Program Strings"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii
$s2 = " MSTR ->> SLV" nocase wide ascii
$s3 = " MSTR <<- SLV" nocase wide ascii
$s4 = "Unknown APDU format !!!" nocase wide ascii
$s5 = "iec104.log" nocase wide ascii
condition:
any of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled backup of IEC-104 configuration files using rsync
Filter/Exclusion: Check for rsync process with destination paths in /backup/iec104/ or /var/backups/iec104/
Scenario: Administrative task to update IEC-104 protocol settings via telnet or netcat
Filter/Exclusion: Filter by source IP addresses of known admin workstations or use process.name = telnet or nc with whitelisted IPs
Scenario: Regular maintenance job using cron to restart IEC-104 service
Filter/Exclusion: Use process.name = cron and check for command-line arguments containing systemctl restart iec104 or similar
Scenario: Log analysis tool (e.g., logrotate) processing IEC-104 logs
Filter/Exclusion: Filter by process.name = logrotate and check for log file paths like /var/log/iec104/
Scenario: Network monitoring tool (e.g., tcpdump) capturing IEC-104 traffic for analysis
Filter/Exclusion: Use process.name = tcpdump and check for command-line arguments containing iec104 or tcpdump -i eth0 port 2404