analysis

ICS Tools - Analysis

Developed as a community asset

Analysis

Firmware

• OWASP General Firmware Pointers - General pointers that will get you started in understanding embedded systems firmware images.
• Firmwalker - Script for extracting some useful things from embedded firmware images
• Firmware Mod Kit - Basic framework for doing firmware modifications
• Firmadyne - System for emulation and dynamic analysis of Linux-based firmware
• ICSREF - ICSREF is a modular framework that automates the reverse engineering process of CODESYS binaries compiled with the CODESYS v2 compiler.
• Thomas Roth - Embedded Serial Gateways - Various scripts for analysis of some serial embedded gateways. See also: video
• ICS Mem Collect - Memory Analysis Collection Toolkit for GE D20MX platform from FireEye. Now archived, so mirrored here
• Recon 2017 Work on Protection Relays - More information here
• EMBA - The security analyzer for embedded device firmware + EMBArk - the web based enterprise interface for EMBA
• TROMMEL - TROMMEL sifts through embedded device files to identify potential vulnerable indicators.
• OFRAK - OFRAK (Open Firmware Reverse Analysis Konsole) is a binary analysis and modification platform. OFRAK combines the ability to: Identify and Unpack many binary formats. Analyze unpacked binaries with field-tested reverse engineering tools. Modify and Repack binaries with powerful patching strategies.
• rpdebug - rpdbg.py is designed to communicate with the QNX operating system's pdebug utility.

Files

Polyfile - A pure Python cleanroom implementation of libmagic, with instrumented parsing from Kaitai struct and an interactive hex viewer

Logs

• Plaso - Log2timeline - log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.

Malware

• YARA - YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
• Volatility - The Volatility Framework is a completely open collection of tools,implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
• OPC Data Access IDAPython script - An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol. It can be used to analyse such malware families as Havex RAT and Win32/Industroyer.
• FLARE VM - FLARE VM is a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
• Control Things Tools Bin - The goal of ctbin is to become the security professional’s Swiss army knife for analyzing binary files.
• Polytracker - An LLVM-based instrumentation tool for universal taint tracking, dataflow analysis, and tracing.

Network

• ICS Protocol Tools - See ICS Protocols for more information.
• NSA GRASSMARLIN - GRASSMARLIN provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks to support network security. Passively map, and visually display, an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems. Now Deprecated, so mirrored here.
• ARMORE - ARMORE was developed to be an open-source software solution that will aid asset owners by increasing visibility, securing communications, and inspecting ICS communications for behavior that is not intended. Built around Bro and Linux.
• EDMAND - EDMAND Anomaly detection framework. Built around Bro.
• AIUS - AIUS Repository (EDMAND/CAPTAR combination). Built around Bro.
• ML NIDS For ICS - Machine learning techniques for Intrusion Detection in SCADA Systems.
• Malcolm - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
• Flare - An analytical framework for network traffic and behavioral analytics
• Skydive - An open source real-time network topology and protocols analyzer
• Zeek Goose Protocol Parser - A Zeek GOOSE parser has been developed to enable detailed analysis of the transmitted data and allow rule-based identification of anomalies related to cybersecurity attacks. It is compatible with an older instance of Zeek Network Security Monitor (v2.6).
• ntopng (community version) - a web-based network traffic monitoring application released under GPLv3. Supports Industrial IOT and Scada with modbus, DNP3 and IEC 60870-5-104 since ntopng 4.2 (October 2020)
• Sequence 2 Sequence Anomaly Detection on SWaT - Anomaly Detection for SWaT Dataset using Sequence-to-Sequence Neural Networks
• Poisoning ICS Attack Detectors - Poisoning Attacks on Cyber Attack Detectors for Industrial Control Systems -- operates on the SWaT dataset
• ICS PCAP Viz - A packet capture visualizer for industrial control networks.

Protocols

• TruffleHog - A network analysis tool that works together with snort to visually represent a PROFINET network graph.
• PowerMeter Reader - Python code to read energetic usage data from a modbus connected PowerMeter device. Tested against Schneider Electric iEM3255 (Acti 9 iEM 3000 series - code A9MEM3255).
• DNP3 Attack Detection System - Simple packet dissector that detects anomalous DNP3 traffic by analysing its parameters.

Radio

• GR Smart Meters - GNU Radio module containing decoders for smart meter manufacturers.
• GR Elster - GNU Radio block and sample flow graph are intended to receive packets transmitted by Elster smart meters on the 902-928 MHz band (tested against Elster R2S).
• RTL-SDR Itron ERT - An rtl-sdr receiver for Itron ERT compatible smart meters operating in the 900MHz ISM band.

Reverse Engineering

• Binwalk - Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
• ANGR - A powerful and user-friendly binary analysis platform.
• Floss - FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
• FACT - The Firmware Analysis and Comparison Tool (formerly known as Fraunhofer's Firmware Analysis Framework (FAF)) is intended to automate most of the firmware analysis process. It unpacks arbitrary firmware files and processes several analyses. Additionally, it can compare several images or single files.
• EMBA - EMBA is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a web report. EMBA automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords.
• Callisto - Callisto is an intelligent automated binary vulnerability analysis tool. Its purpose is to autonomously decompile a provided binary and iterate through the psuedo code output looking for potential security vulnerabilities in that pseudo c code. Ghidra's headless decompiler is what drives the binary decompilation and analysis portion. The pseudo code analysis is initially performed by the Semgrep SAST tool and then transferred to GPT-3.5-Turbo for validation of Semgrep's findings, as well as potential identification of additional vulnerabilities.

Symbolic Execution

• SymCC - SymCC: efficient compiler-based symbolic execution
• IEC-Checker - This project aims to implement an open source tool for static code analysis of IEC 61131-3 programs.
• AttkFinder - a tool that performs static program analysis of PLC programs, and produce Data-oriented Attack vectors. In a nutshell, AttkFinder takes PLC programs written under the standard IEC-61131-3 in xml-format or structured text, and builds a Data-Flow graph (DFG), a Control-Flow graph (CFG) and translates the program into a Structured Intermediate Representation Language (STIR) version. A symbolic execution engine analyses the stir-version code searching for attack vectors that can be exploited by a malicious actuator.

Samples

• Trisis/Triton/Hatman - Repository containing original and decompiled files of TRISIS/TRITON/HATMAN malware

System Analysis

• PASAD - Process-Aware Stealthy Attack Detection using SWaT and DVCP-TE
• Archive Walker - PMU data analysis tool

Forensics

• Microsoft Section52 ICS Forensics tools - an open source forensic toolkit for analyzing Industrial PLC metadata and project files

(creative commons license)