ICS-Forensics-Tools – Microsoft ICS Forensics Framework

Microsoft ICS Forensics Tools is an open source forensic framework for analyzing Industrial PLC metadata and project files.
Microsoft ICS 取证工具是一个开源取证框架，用于分析工业 PLC 元数据和项目文件。
it enables investigators to identify suspicious artifacts on ICS environment for detection of compromised devices during incident response or manual check.
它使调查人员能够识别 ICS 环境中的可疑工件，以便在事件响应或手动检查期间检测受感染的设备。
open source framework, which allows investigators to verify the actions of the tool or customize it to specific needs.
开源框架，允许调查人员验证工具的操作或根据特定需求对其进行自定义。

Getting Started 开始

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.
这些说明将使你在本地计算机上启动并运行项目的副本，以便进行开发和测试。

git clone https://github.com/microsoft/ics-forensics-tools.git

Prerequisites 先决条件

• Install Python >= 3.9: https://www.python.org/downloads
  安装 Python >= 3.9：https://www.python.org/downloads

Installing 安装

• Install python requirements
  安装 python 要求

  pip install -r requirements.txt
  

Usage 用法

General application arguments:
一般应用参数：

Specific plugin arguments:
具体插件参数：

Executing examples in the command line
在命令行中执行示例

 python driver.py -s -v PluginName --ip ips.csv
 python driver.py -s -v PluginName --analyzer AnalyzerName
 python driver.py -s -v -c config.json --multiprocess

Import as library example
导入为库示例

from forensic.client.forensic_client import ForensicClient
from forensic.interfaces.plugin import PluginConfig
forensic = ForensicClient()
plugin = PluginConfig.from_json({
    "name": "PluginName",
    "port": 123,
    "transport": "tcp",
    "addresses": [{"ip": "192.168.1.0/24"}, {"ip": "10.10.10.10"}],
    "parameters": {
    },
    "analyzers": []
})
forensic.scan([plugin])

Architecture 建筑

Adding Plugins 添加插件

When developing locally make sure to mark src folder as “Sources root”
在本地开发时，请确保将 src 文件夹标记为“源根目录”

• Create new directory under plugins folder with your plugin name
  在plugins文件夹下创建新目录，其中包含您的插件名称
• Create new Python file with your plugin name
  使用您的插件名称创建新的 Python 文件
• Use the following template to write your plugin and replace ‘General’ with your plugin name
  使用以下模板编写插件，并将“General”替换为插件名称

from pathlib import Path
from forensic.interfaces.plugin import PluginInterface, PluginConfig, PluginCLI
from forensic.common.constants.constants import Transport


class GeneralCLI(PluginCLI):
    def __init__(self, folder_name):
        super().__init__(folder_name)
        self.name = "General"
        self.description = "General Plugin Description"
        self.port = 123
        self.transport = Transport.TCP

    def flags(self, parser):
        self.base_flags(parser, self.port, self.transport)
        parser.add_argument('--general', help='General additional argument', metavar="")


class General(PluginInterface):
    def __init__(self, config: PluginConfig, output_dir: Path, verbose: bool):
        super().__init__(config, output_dir, verbose)

    def connect(self, address):
        self.logger.info(f"{self.config.name} connect")

    def export(self,    extracted):
        self.logger.info(f"{self.config.name} export")

• Make sure to import your new plugin in the __init__.py file under the plugins folder
  确保在 plugins 文件夹下的 __init__.py 文件中导入新插件
• In the PluginInterface inherited class there is ‘config’ parameters, you can use this to access any data that’s available in the PluginConfig object (plugin name, addresses, port, transport, parameters).
  在 PluginInterface 继承的类中，有“config”参数，您可以使用它来访问 PluginConfig 对象中可用的任何数据（插件名称、地址、端口、传输、参数）。
  there are 2 mandatory functions (connect, export).
  有 2 个必需功能（连接、导出）。
  the connect function receives single ip address and extracts any relevant information from the device and return it.
  Connect 函数接收单个 IP 地址，并从设备中提取任何相关信息并返回。
  the export function receives the information that was extracted from all the devices and there you can export it to file.
  导出功能接收从所有设备中提取的信息，您可以在其中将其导出到文件。
• In the PluginCLI inherited class you need to specify in the init function the default information related to this plugin.
  在 PluginCLI 继承的类中，您需要在 init 函数中指定与此插件相关的默认信息。
  there is a single mandatory function (flags).
  有一个必需的函数（标志）。
  In which you must call base_flags, and you can add any additional flags that you want to have.
  您必须在其中调用 base_flags，并且可以添加您想要的任何其他标志。

Adding Analyzers 添加分析器

• Create new directory under analyzers folder with the plugin name that related to your analyzer.
  在 analyzers 文件夹下创建新目录，其中包含与分析器相关的插件名称。
• Create new Python file with your analyzer name
  使用分析器名称创建新的 Python 文件
• Use the following template to write your plugin and replace ‘General’ with your plugin name
  使用以下模板编写插件，并将“General”替换为插件名称

from pathlib import Path
from forensic.interfaces.analyzer import AnalyzerInterface, AnalyzerConfig


class General(AnalyzerInterface):
    def __init__(self, config: AnalyzerConfig, output_dir: Path, verbose: bool):
        super().__init__(config, output_dir, verbose)
        self.plugin_name = 'General'
        self.create_output_dir(self.plugin_name)

    def analyze(self):
      pass

• Make sure to import your new analyzer in the __init__.py file under the analyzers folder
  确保在 analyzers 文件夹下的 __init__.py 文件中导入新分析器

Resources and Technical data & solution:
资源和技术数据及解决方案：

Microsoft Defender for IoT is an agentless network-layer security solution that allows organizations to continuously monitor and discover assets, detect threats, and manage vulnerabilities in their IoT/OT and Industrial Control Systems (ICS) devices, on-premises and in Azure-connected environments.
Microsoft Defender for IoT 是一种无代理网络层安全解决方案，允许组织持续监视和发现资产、检测威胁并管理其 IoT/OT 和工业控制系统 （ICS） 设备、本地和 Azure 连接环境中的漏洞。

Section 52 under MSRC blog
MSRC 博客下的第 52 节
ICS Lecture given about the tool
ICS关于该工具的讲座
Section 52 – Investigating Malicious Ladder Logic | Microsoft Defender for IoT Webinar – YouTube
第 52 节 – 调查恶意梯形逻辑 |Microsoft Defender for IoT 网络研讨会 – YouTube

Contributing 贡献

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
本项目欢迎投稿和建议。大多数贡献要求您同意贡献者许可协议 （CLA），声明您有权并实际授予我们使用您的贡献的权利。有关详细信息，请访问 https://cla.opensource.microsoft.com。

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
当你提交拉取请求时，CLA 机器人将自动确定你是否需要提供 CLA 并适当地修饰 PR（例如，状态检查、评论）。只需按照机器人提供的说明进行操作即可。使用我们的 CLA 在所有存储库中，您只需执行此操作一次。

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
此项目采用了 Microsoft 开源行为准则。有关更多信息，请参阅行为准则常见问题解答，或联系 [email protected] 提出任何其他问题或意见。

Trademarks 商标

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.
本项目可能包含项目、产品或服务的商标或徽标。Microsoft 商标或徽标的授权使用受 Microsoft 商标和品牌指南的约束，并且必须遵循这些准则。在本项目的修改版本中使用 Microsoft 商标或徽标不得造成混淆或暗示 Microsoft 赞助。对第三方商标或徽标的任何使用均受这些第三方政策的约束。

原文始发于FARADAYSEC：ICS-Forensics-Tools – Microsoft ICS Forensics Framework