Scenario:
You are a cybersecurity analyst working in the Security Operations Center (SOC) at AetherCore Technologies, a company that provides engineering and manufacturing services for electronic products, including industrial solar energy systems. AetherCore relies on programmable logic controllers (PLCs) to manage the solar panel systems in its facilities. These systems are critical for maintaining the company’s solar energy production and efficient operation.
Recently, AetherCore’s engineering team reported a significant disruption in their solar panel operations. Several panels have gone offline, and attempts to remotely restart them have failed. The incident occurred shortly after 16:10, following a spike in network activity. Initial hardware checks found no physical issues with the panels or the PLCs.
You and your team have been tasked with investigating whether this outage was caused by a cybersecurity incident. There is suspicion that an insider threat may be involved, using their access to the network to manipulate the PLCs and disrupt solar panel operations.
Q1: In the provided packet capture, several protocols are present, but one stands out for its popularity in Industrial Control Systems and Programmable Logic Controllers (PLCs).It is used to transmit data between devices like PLCs and sensors, allowing real-time monitoring and process control. What is the name of this protocol?
It is a protocol used in industrial systems for real-time data exchange between controllers and field devices like sensors and actuators.
Answer1 → modbus
Q2: Some analysis tools offer a histogram view of the packet capture, which visualizes network activity over time and helps analysts identify patterns, trends, or anomalies such as traffic spikes.
Determine the duration of the traffic spike in the packet capture, rounding the result to the nearest second, and provide your answer in seconds.
Now we need to visualize the packet capture to know the spike from the graph, and calculate the duration of this spike. from statistics -> I/O Graphs
Now we need to get the duration of this spike, just by hovering on the 2 intervals of this spike, we can get the right duration.
Press enter or click to view image in full size
if you hover the mouse on these 2 blue circles intervals of the spike, you can get the time as the black circle shows down.
First interval line time = 454
Second interval time = 463
Answer2 → 9
Q3: Traffic spikes are often linked to scanning activities by adversaries, which become evident when a single host IP generates a large number of requests within a short period.
What is the IP address responsible for the traffic spike?
By selecting any point between the spike intervals, you can find the source ip address as shown in the following image
Press enter or click to view image in full size
Answer3 → 192.168.228.203
Q4: After identifying the attacker's IP address, the next step is to determine which network hosts the attacker interacted with a process known as host discovery.
This involves analyzing the traffic to see how many devices or systems the attacker communicated with on the network. Based on the packet capture analysis, how many hosts did the attacker discover?
First, we need to filter for the ip address we got (the attacker’s ip address)
Then see all his communication with its same network discovery (within the same subnet as the attacker “192.168.228.xxx”)
First go to statistics -> Conversations to list all conversations
You'll find the conversion just like this:
But we need to get only ip addresses with the same subnet.
The image has 8 conversation, FOCUS a little bit on the penultimate line!!
Answer4 → 7
Q5: After completing host discovery, adversaries typically conduct a port scan to identify potential vulnerabilities and determine their attack surface.
How many ports did the attacker scan on each of the discovered hosts?
we need to know how many ports were scanned on EACH host!
By filtering with the attacker's ip address and all other 7 ip’s we’ve got like this filter for example:
as he is making port scanning, so this is the right way to filter, by looking to the conversations between these ip addresses, we can find that it has 1000 TCP connections with destination ip address “192.168.228.136”. if you changed the filter by changing the ip.dst value to any of the 7 ip addresses we have, you'll find the following statistics :
192.168.228.1 -> 1000 TCP connections
192.168.228.2 -> 1000 TCP connections
192.168.228.136 -> 1000 TCP connections
192.168.228.137 -> 1021 TCP connections
192.168.228.138 -> 1162 TCP connections (most traffic)
192.168.228.254 -> 1000 TCP connections
Get Loay Salah’s stories in your inbox
Join Medium for free to get updates from this writer.
conclusion: the attacker’s port scan number are quite obvious, just 2 of 7 ip addresses have more than 1000, it also means that the most traffic with more than 1000, may be the attacker could communicate with him lobger, so we may think he found an open port also!!
Answer5 → 1000
Q6: Now that we have confirmed the attacker's IP and intentions, let's begin analyzing their actions. Which HTTP host did the attacker first interact with after completing their enumeration?
From the the previous question, we knew that the most traffic ip address is the address that the attacker could enumerate it, and somehow gained access on it “192.168.228.138”. now we need to know the port number.
Press enter or click to view image in full size
Using this filter to get the full communication, we can see here the traffic is all about port scanning nothing more, but after a little more time, we found the whole traffic changed to one specific port number:
Press enter or click to view image in full size
Answer6 → 192.168.228.138:8080
Q7 → The first host the attacker interacted with is a PLC (Programmable Logic Controller) device. To understand the attack better, it's important to identify the specific PLC runtime being used on this host, as this could give insights into the attack methods and vulnerabilities.
What is the name of the PLC runtime used by this host?
Walk around the communication (http specifically) and you'll find an image with the name of the plc runtime
Press enter or click to view image in full size
also, you can search for “plc” as a string, and you'll get the same answer
Press enter or click to view image in full size
Answer7 → OpenPLC
Q8 → The attacker appears to have successfully logged into the PLC’s configuration webserver. What credentials did they use to gain access?
first, add http filter to the previous filters, and try to find something interesting
Press enter or click to view image in full size
a “POST” request to the “/login” page of the web server is very interesting, so we need to follow the TCP stream, then we'll find the credentials
Answer8 → openplc:openplc
Q9 → According to the incident report, the credentials for the OpenPLC configuration webserver were changed by the attacker. Can you identify the new password that the attacker set?
Same answer like the previous question, another very important “POST” request was sent to “/edit-user” path
Press enter or click to view image in full size
follow the tcp stream to get the answer easily :
Answer9 → d1srupt10n
Q10 → The PLC’s configuration webserver enables engineers to configure and monitor various parameters of the PLC device. This access can also allow an attacker to identify the I/O points or the registers/coils numbers and their mappings. How many I/O points were in use on the PLC?
This is the most tricky question. after a lot of analysis on the communication and using this filter ip.src==192.168.228.203 and ip.dst == 192.168.228.138 and http , i questioned myself
“Why the attacker is looking for a lot of images, and a lot of html web pages ? ”
why don’t we download these html web pages and try to find something interesting. You can do that by ( File → Export Objects → HTTP… )
Press enter or click to view image in full size
Filter the output to the domain of the web server just like this:
Press enter or click to view image in full size
You'll find a lot of html web pages, we can save them one by one to add the html extension to the saved files for more visualization
After a lot of analysis, i can tell you this file “monitor-update%3fmb_port=502” is the most important to get the answers
After saving the file with “.html” extension, we can open via browser :
WOW!, we found 4 I/O point names and that’s what we want.
Answer10 → 4
Q11 → Following the identification of the I/O points,
What is the Modbus location of the Emergency Stop coil on the PLC?
From the same saved html file, we can see the Emergency_Stop Location easily
Answer11 → %QX0.0
Q12 → The attacker seems to have sent multiple Modbus requests using the “Write Single Coil” command, specifically targeting the emergency stop coils. This repeated activation of the emergency stop likely caused our system’s downtime. Based on the information provided,
Can you calculate the total duration of the downtime in seconds (rounded) caused by the attacker?
the attacker sent a lot of Modbus packets, so change the “http” filter to “modbus” like this filter:
and we can calculate the difference between first packet time, and the last packet time since he needs only the duration time, first packet in the filter has the time “740.xxxx” as shown
And last packet in the “modbus” filter has the time “1034.xxxx” as shown
We can calculate the difference to get the duration using a reliable source
Answer12 → 294