Detection Logic and Industrial Threat Hunting
Detecting scanning and intrusion attempts associated with TRK25-ADVANCED requires a combination of network monitoring and centralized log analysis. Because the tool relies on rapid, automated connections, its behavior is highly visible to properly configured network sensors.
To detect potential TRK25-ADVANCED Modbus scanning activity, security administrators should deploy the following Suricata network detection rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"MALICIOUS SCADA - TRK25-ADVANCED Modbus TCP Scan Attempt"; flow:to_server,established; content:"|00 00 00 00 00 06|"; depth:6; reference:url,ransom-isac.com; classtype:bad-unknown; sid:1000001; rev:1;)
In addition to network-level rules, security teams utilizing Microsoft Sentinel can implement the following Kusto Query Language query to flag internal hosts performing rapid remote administration sweeps paired with repeated authentication failures:
let OT_Ports = dynamic([502, 5900, 3389, 22]);
let WeakUsers = dynamic(['admin', 'root', 'scada', 'operator', 'plc', 'hmi']);
DeviceNetworkEvents
| where RemotePort in (OT_Ports)
| summarize PortConnCount = dcount(RemoteIP) by InitiatingProcessAccountName, InitiatingProcessFileName, DeviceName, RemotePort, bin(TimeGenerated, 5m)
| where PortConnCount > 10
| join kind=inner (
DeviceLogonEvents
| where LogonType == "Network" and ActionType == "LogonFailed"
| where AccountName in (WeakUsers)
) on DeviceName
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemotePort, AccountName, PortConnCount