Gheek / ZeeCC-MB

This project contains Zeek scripts enabling the detection of Network Covert Channels in Modbus/TCP.

The research for this project is part of my PhD thesis which will be linked here when published.

(back to top)

A covert channel is an evasion or attack technique that is used to transfer information in a secretive, unauthorized or illicit manner. (ICANN)

• for details on (Network-) Covert Channels (and more) have a look at our novel Generic Taxonomy for Steganography Methods [WCM+22]

• A comprehensive analysis of Covert Channels on Modbus/TCP can be found in our paper Assessment of Hidden Channel Attacks: Targetting Modbus/TCP [LD20]

Currently, this plugin is able to detect two covert channels in Modbus/TCP. More detectors are under development.

This covert channel uses the Unit ID field to encode hidden information. Use conf.zeek to set up Unit IDs that are legit for your setup in order to avoid false positives. We published and discussed this covert channel in [LD20].

This covert channels makes use of unused bits found in certain Modbus/TCP packets, e.g., in case of ReadCoilResponse packets. As Modbus/TCP is byte-oriented, 0-7 bits of the last byte may be zero-filled and leveraged by an adversary to establish a hidden communication channel. We published and discussed this covert channel in [LD20].

(back to top)

• [WCM+22] Wendzel, Steffen; Caviglione, Luca; Mazurczyk, Wojciech; Mileva, Aleksandra; Dittmann, Jana; Krätzer, Christian; et al. (2022): A Generic Taxonomy for Steganography Methods. TechRxiv. Preprint. https://doi.org/10.36227/techrxiv.20215373.v2
• [LD20] Kevin Lamshöft, Jana Dittmann, Assessment of Hidden Channel Attacks: Targetting Modbus/TCP, IFAC-PapersOnLine, Volume 53, Issue 2, 2020, Pages 11100-11107, ISSN 2405-8963, https://doi.org/10.1016/j.ifacol.2020.12.258.

(back to top)

Fortunately, Zeek is quite easy to use. The same holds true for any plugins. Just follow these simple steps:

As you probably already guessed it - you need Zeek installed before using this plugin.

Here's a short primer on Zeek, taken from the original repo. Of course, fell free to ignore this and just use any package manager you fancy.

• Zeek

  git clone --recursive https://github.com/zeek/zeek
  ./configure && make && sudo make install

• CISA Modbus Parser
  With Zeek being properly installed, you are basically done with the prerequisites, but - I highly recommend to use the awesome CISA ICSNPP Modbus parser to get more detailed logs. For installation of the parser please head over to the CISA ICS-NPP Modbus Repo.

That's all, happy times! With Zeek running properly you can now proceed with the installation of the acutal detection scripts.

1. Clone the repo:

   git clone https://github.com/gheek/ZeeCC-MB.git

2. Run & Test the plugin with the provided pcaps, for example:

   zeek -Cr test/unused_bits_sample.pcap zeek-modbus-cc

   Check the /test directory for more examples.

3. Detection results are written to notice.log:

   cat notice.log
   

1. Clone the repo

   git clone https://github.com/gheek/ZeeCC-MB.git

2. To install this script manually, clone this repository and copy the contents of the scripts directory into ${ZEEK_INSTALLATION_DIR}/share/zeek/site/icsnpp-modbus.

   git clone https://github.com/gheek/ZeeCC-MB.git
   zeek_install_dir=$(dirname $(dirname `which zeek`))
   cp -r zeek-modbus-cc $zeek_install_dir/share/zeek/site/zeek-modbus-cc

3. If you are using a site deployment, simply add echo @load zeek-modbus-cc to your local.site file.

4. If you are not using site/local.zeek or another site installation of Zeek and just want to run this package on a packet capture you can add zeek-modbus-cc to your command to run this plugin's scripts on the packet capture:

   zeek -Cr test/unused_bits_sample.pcap zeek-modbus-cc

(back to top)

• Make plugin compatible for zkg package manager
  • create zkg.meta
• Implement more covert channels
• Implement more ICS/OT protocols
• Integrate into my anomaly detection pipline (under active development)

See the open issues for a full list of proposed features (and known issues).

(back to top)

Distributed under the MIT License. See LICENSE.txt for more information.

(back to top)

Kevin Lamshöft - LinkedIn - github@gheek.de

Project Link: https://github.com/gheek/ZeeCC-MB

(back to top)

• Zeek
• CISA Industrial Control Systems Network Protocol Parsers (ICSNPP)
• Readme Template

(back to top)

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

(back to top)