Azure-Sentinel/Playbooks/AD4IoT-TritonDetectionAndRe...
Lior Tamir cb2708e2d7 AD4IoT Playbooks 2021-06-19 16:20:44 +03:00
..
azuredeploy.json AD4IoT Playbooks 2021-06-19 16:20:44 +03:00
readme.md AD4IoT Playbooks 2021-06-19 16:20:44 +03:00

readme.md

AD4IoT - Triton Attack Playbook

Author: Amit Sheps and Lior Tamir

In December 2017, it was reported that safety systems of an unidentified power station, believed to be in Saudi Arabia, were compromised when a Triconex industrial a safety system made by Schneider Electric SE was targeted. It is believed that this was a state-sponsored attack.

Attackers used sophisticated malware called Triton. Using stolen credentials of one of the workstations on the IT domain, they managed to establish a remote desktop connection to the engineering workstation; program the PLCs and change its logic in a way that could have led to a disaster.

This playbook allows users to validate any PLC programming command which is performed to prevent a Triton attack.

Note: This playbook offers a complex flow, and requires configuration by the specific environment.

Deploy to Azure

Deploy to Azure Deploy to Azure Gov