T1059 - MicroSCADA SCILC Command Execution

DESCRIPTION

Identification of Events or Host Commands that are related to the MicroSCADA SCILC programming language and specifically command execution

Example:

C:\sc\prog\exec\scilc.exe -do pack\scil\s1.txt

Related

SCADA Sandworm

Reference:

https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology

ATT&CK TACTICS

Data Source(s): Application Log

SENTINEL RULE QUERY

let c1 = dynamic([@"\scilc.exe", "-do"]);
find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)

Triage

Evaluate the commandlines
Analyse the sample files being executed

FalsePositive

Red Team activity

VERSION

Version 1.0 (date: 10/11/2023)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

T1059-MicroSCADA-SCILC-Command-Execution.md

T1059-MicroSCADA-SCILC-Command-Execution.md

T1059 - MicroSCADA SCILC Command Execution

DESCRIPTION

ATT&CK TACTICS

SENTINEL RULE QUERY

Triage

FalsePositive

VERSION

Files

T1059-MicroSCADA-SCILC-Command-Execution.md

Latest commit

History

T1059-MicroSCADA-SCILC-Command-Execution.md

File metadata and controls

T1059 - MicroSCADA SCILC Command Execution

DESCRIPTION

ATT&CK TACTICS

SENTINEL RULE QUERY

Triage

FalsePositive

VERSION