Show in Graph
Common Information
Type Value
Value 
rule TRITON_ICS_FRAMEWORK {
	meta:
		author = "nicholas.carr @itsreallynick"
		md5 = "0face841f7b2953e7c29c064d6886523"
		description = "TRITON framework recovered during Mandiant ICS incident response"
	strings:
		$python_compiled = ".pyc" ascii wide nocase
		$python_module_01 = "__module__" ascii wide nocase
		$python_module_02 = "<module>" ascii wide nocase
		$python_script_01 = "import Ts" ascii wide nocase
		$python_script_02 = "def ts_" ascii wide nocase
		$py_cnames_01 = "TS_cnames.py" ascii wide nocase
		$py_cnames_02 = "TRICON" ascii wide nocase
		$py_cnames_03 = "TriStation " ascii wide nocase
		$py_cnames_04 = " chassis " ascii wide nocase
		$py_tslibs_01 = "GetCpStatus" ascii wide nocase
		$py_tslibs_02 = "ts_" ascii wide
		$py_tslibs_03 = " sequence" ascii wide nocase
		$py_tslibs_04 = /import Ts(Hi|Low|Base)/ ascii wide nocase
		$py_tslibs_05 = /module\s?version/ ascii wide nocase
		$py_tslibs_06 = "bad " ascii wide nocase
		$py_tslibs_07 = "prog_cnt" ascii wide nocase
		$py_tsbase_01 = "TsBase.py" ascii wide nocase
		$py_tsbase_02 = ".TsBase(" ascii wide nocase
		$py_tshi_01 = "TsHi.py" ascii wide nocase
		$py_tshi_02 = "keystate" ascii wide nocase
		$py_tshi_03 = "GetProjectInfo" ascii wide nocase
		$py_tshi_04 = "GetProgramTable" ascii wide nocase
		$py_tshi_05 = "SafeAppendProgramMod" ascii wide nocase
		$py_tshi_06 = ".TsHi(" ascii wide nocase
		$py_tslow_01 = "TsLow.py" ascii wide nocase
		$py_tslow_02 = "print_last_error" ascii wide nocase
		$py_tslow_03 = ".TsLow(" ascii wide nocase
		$py_tslow_04 = "tcm_" ascii wide
		$py_tslow_05 = " TCM found" ascii wide nocase
		$py_crc_01 = "crc.pyc" ascii wide nocase
		$py_crc_02 = "CRC16_MODBUS" ascii wide
		$py_crc_03 = "Kotov Alaxander" ascii wide nocase
		$py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
		$py_crc_05 = "crc16ret" ascii wide
		$py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
		$py_crc_07 = /CRC16_CCITT[^_]/ ascii wide
		$py_sh_01 = "sh.pyc" ascii wide nocase
		$py_keyword_01 = " FAILURE" ascii wide
		$py_keyword_02 = "symbol table" ascii wide nocase
		$py_TRIDENT_01 = "inject.bin" ascii wide nocase
		$py_TRIDENT_02 = "imain.bin" ascii wide nocase
	condition:
		2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2017-12-14 26 TRITON Malware | Attackers Deploy New ICS Attack Framework