Reports/CyberAv3ngers Pivot to Rockwell PLCs as Iran War Triggers Escalated Attacks on US Water and Energy Systems

CyberAv3ngers Pivot to Rockwell PLCs as Iran War Triggers Escalated Attacks on US Water and Energy Systems

Threat InteltacticalCyberAv3ngersIRGCICS SecurityRockwell Automationhunt-report

April 8, 20264,025 words~17 min read

CyberAv3ngers Pivot to Rockwell PLCs as Iran War Triggers Escalated Attacks on US Water and Energy Systems

Six agencies, including CISA, the FBI, NSA, EPA, DOE, and US Cyber Command, issued a joint advisory on April 7, 2026, warning that Iranian-affiliated APT actors have been disrupting Rockwell Automation and Allen-Bradley programmable logic controllers across US water, energy, and government sectors since March 2026 [1]. The campaign has caused operational disruptions at multiple victim organizations [1]. This marks a significant expansion beyond the group's prior focus on Israeli-made Unitronics devices and signals a broader, more capable adversary than the one that defaced PLCs at a Pennsylvania water authority in late 2023.

The timing is not subtle. On February 28, 2026, the United States and Israel launched Operation Epic Fury, a coordinated airstrike campaign against Iranian military and leadership targets that killed Supreme Leader Ali Khamenei [6]. Iran responded with missile and drone strikes and closed the Strait of Hormuz [6]. The cyber campaign against US critical infrastructure is a direct component of Iran's retaliatory posture.

CyberAv3ngers: From Defacement to Disruption

CyberAv3ngers is an IRGC-affiliated operation tracked under multiple designations: Hydro Kitten, Storm-0784, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and Shahid Kaveh Group [2].

The group's public activity began in November 2023 when it compromised at least 75 Unitronics Vision Series PLC devices across multiple critical infrastructure sectors, with a significant focus on water and wastewater facilities [2]. The most visible victim was the Municipal Water Authority of Aliquippa, Pennsylvania, where attackers seized control of a booster station monitoring water pressure for Raccoon and Potter Townships on November 25, 2023 [4]. The system was disabled, prompting a Pennsylvania State Police criminal investigation [4].

At that stage, the group's methods were crude: authenticating to internet-exposed Unitronics PLCs via the default TCP port 20256 using default passwords or no passwords at all [2]. Compromised HMIs displayed the message: "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target" [2]. The US sanctioned six IRGC officials on February 2, 2024, in direct response [5], and the Rewards for Justice program now offers up to $10 million for information on the group [5].

By 2024, the group had matured. CyberAv3ngers deployed custom malware called IOCONTROL against US water and fuel management systems [5].

The March 2026 Campaign: New Targets, New Tools

The current wave is qualitatively different from the 2023 Unitronics campaign. Attackers have shifted their targeting to Rockwell Automation and Allen-Bradley PLCs, a far more prevalent platform in US industrial environments [1]. Rather than simply exploiting default credentials on exposed devices, the actors are using leased, third-party hosted infrastructure running Studio 5000 Logix Designer, Rockwell's proprietary configuration software, to establish accepted connections to victim PLCs [1].

This matters. Studio 5000 Logix Designer is the standard engineering tool for programming and configuring Allen-Bradley ControlLogix and CompactLogix controllers. By using legitimate software through what appear to be authorized connections, the attackers can modify PLC project files and manipulate HMI/SCADA displays while blending into normal engineering traffic [1].

The advisory states plainly that "Iranian-affiliated APT actors are conducting this activity to cause disruptive effects within the United States" [1]. This isn't espionage or reconnaissance. The intent is disruption.

IOCONTROL: A Purpose-Built OT Weapon

Claroty's Team82 published detailed analysis of IOCONTROL, the custom malware CyberAv3ngers deployed against IoT and OT devices [8]. Key characteristics:

Platform: Linux-based backdoor with modular configuration designed for IoT/OT environments [8]
C2 Protocol: Communicates via MQTT (Message Queuing Telemetry Transport) over port 8883, a protocol commonly used in industrial and IoT settings [8]
Evasion: Uses DNS over HTTPS (DoH) through the Cloudflare API to resolve C2 infrastructure, making DNS-based detection significantly harder [8]
Binary location: The malware binary iocontrol is stored in /usr/bin/ according to analysis [8]

The choice of MQTT for command and control is deliberate. MQTT traffic is expected on many OT networks, so C2 communications can hide among legitimate sensor and device telemetry.

Sectors and Scope Under Attack

The joint advisory identifies three primary target sectors: Government Services and Facilities, Water and Wastewater Systems, and Energy [1].

The expansion from water utilities to energy and government facilities tracks with the broader conflict escalation. Iranian threat actors are assessed to be moving faster and broader, targeting both IT and OT infrastructure.

IOC Table

Type	Value	Context	Source
IP	`159.100.6.69`	IOCONTROL C2 server	[8]
Filename	`iocontrol`	Malware binary stored in `/usr/bin/`	[8]
Malware	`IOCONTROL`	Custom Linux backdoor targeting IoT/OT devices	[8]
Malware	`Studio 5000 Logix Designer`	Legitimate Rockwell software abused to connect to victim PLCs	[1]

MITRE ATT&CK Mapping

Technique ID	Name	Application
T1078.001	Valid Accounts: Default Accounts	Default/no password exploitation on Unitronics PLCs [2]
T1046	Network Service Scanning	Scanning for internet-exposed PLCs on known ports [2]
T1071.001	Application Layer Protocol: Web Protocols	MQTT over port 8883 for C2; DoH via Cloudflare for DNS resolution [8]
T1565.001	Stored Data Manipulation	Modification of PLC project files and HMI displays [1]
T1059.001	Command and Scripting Interpreter	Shell script execution for malware deployment [8]
T1082	System Information Discovery	Device reconnaissance post-compromise [8]
T0883	Internet Accessible Device	Exploitation of internet-facing OT equipment [2]

Detection and Hunting

Network-Level Indicators:

Monitor for MQTT traffic on port 8883 originating from PLC or OT network segments to external IPs, particularly 159.100.6.69 [8]. MQTT on OT networks is normal between internal devices; outbound MQTT to internet hosts is not.
Alert on DNS over HTTPS (DoH) connections from OT network segments to Cloudflare's DoH endpoints (1.1.1.1, 1.0.0.1, cloudflare-dns.com). OT devices should not be performing encrypted DNS resolution to external providers [8].
Flag any connections from external IPs using Studio 5000 Logix Designer to internal Rockwell/Allen-Bradley controllers. Legitimate engineering sessions should originate from known internal workstations [1].

Host-Level Indicators:

Search Linux-based OT and IoT devices for /usr/bin/iocontrol binary [8].
On Unitronics devices, check for connections on TCP port 20256 from unrecognized source IPs [2].

SIEM/Log Queries:

index=network dest_port=8883 NOT src_ip IN (known_ot_internal_ranges) to identify anomalous MQTT connections.
index=dns query="cloudflare-dns.com" src_ip IN (ot_network_ranges) for DoH from OT segments.
index=firewall action=allowed dest_port=44818 src_ip NOT IN (engineering_workstations) for unauthorized EtherNet/IP connections to Rockwell controllers (default port 44818).

Behavioral:

Unexpected PLC program changes, firmware modifications, or HMI display alterations outside scheduled maintenance windows are high-fidelity indicators [1].
Any PLC displaying defacement messages or political imagery warrants immediate isolation and forensic response [2].

Analysis

The CyberAv3ngers campaign has gone through three distinct phases. Phase one (November 2023 to January 2024) was opportunistic and primarily symbolic: scanning for low-hanging fruit, exploiting default credentials, and defacing HMI screens [2]. Phase two (2024) introduced custom malware in the form of IOCONTROL, demonstrating genuine OT-specific development capability [5] [8]. Phase three (March 2026 to present) leverages legitimate engineering software against a major US PLC vendor, represents a broader target set, and is explicitly aimed at causing disruption rather than sending messages [1].

Each phase shows increased sophistication. The jump from Unitronics to Rockwell Automation is particularly significant because Allen-Bradley controllers are among the most widely deployed industrial platforms in the United States. Compromising these systems requires different tooling and deeper industrial process knowledge.

The geopolitical context is essential to understanding the campaign's trajectory. The attacks accelerated immediately after Operation Epic Fury began on February 28, 2026 [6]. With the conflict ongoing, there's a reasonable probability that the tempo of attacks could continue or escalate. IRGC cyber units have historically maintained persistent access to compromised infrastructure long after active hostilities subside, meaning implants placed during March likely remain active.

🐑

Red Sheep Assessment

Confidence: Moderate-High

The shift from Unitronics to Rockwell Automation PLCs suggests CyberAv3ngers has either acquired or developed new capabilities specifically for the US industrial environment. The 2023 campaign targeted Israeli-made equipment out of ideological motivation [2]. The 2026 campaign targets the most common US industrial platform regardless of manufacturer origin [1]. This indicates the group has moved past symbolic targeting toward operationally meaningful infrastructure selection.

The use of leased third-party infrastructure running Studio 5000 Logix Designer [1] is particularly concerning. It means the attackers can establish connections that look like legitimate engineering sessions, complicating network-based detection. Organizations that don't maintain strict allowlists of authorized engineering workstations will have difficulty distinguishing attacker activity from normal operations.

A contrarian reading: some of the reported "disruption" may still be closer to vandalism than genuine process manipulation. The advisory describes manipulation of HMI/SCADA displays [1], which could mean anything from defacement to actual process interference. This distinction matters for risk modeling: the group may be capable of more damage than it has actually inflicted so far, or it may be deliberately calibrating its actions to stay below a threshold that would trigger a more severe US response.

The ongoing conflict creates an uncertain period. Cyber operations rarely stop on a diplomatic timeline. Access gained during March almost certainly persists, and the IRGC has strong incentives to maintain dormant footholds regardless of kinetic conflict status. Defenders should treat this period as an opportunity to hunt and remediate, not as a signal that the threat has passed.

🛡️

Defender's Checklist

▢[ ] Audit all internet-facing Rockwell Automation/Allen-Bradley and Unitronics PLCs. Remove from direct internet exposure immediately. Use shodan or censys queries for your own IP ranges targeting ports 44818 (EtherNet/IP), 20256 (Unitronics), and 2222 (Rockwell) to identify exposed assets [1] [2].
▢[ ] Restrict Studio 5000 Logix Designer connections to a strict allowlist of authorized engineering workstation IPs. Block all other source IPs at the network level. Log every connection attempt [1].
▢[ ] Hunt for IOCONTROL indicators on Linux-based OT/IoT devices: search for /usr/bin/iocontrol and outbound MQTT on port 8883 to external hosts [8].
▢[ ] Change all default credentials on Unitronics Vision Series PLCs (default password: 1111). Disable unauthenticated access on TCP port 20256 [2].
▢[ ] Monitor for DNS over HTTPS from OT network segments. Block DoH at the network perimeter for OT VLANs, or at minimum alert on it. OT devices have no legitimate reason to use encrypted DNS to external resolvers [8].

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a

[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

[3] https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html

[4] https://www.cbsnews.com/pittsburgh/news/municipal-water-authority-of-aliquippa-hacked-iranian-backed-cyber-group/

[5] https://www.prismnews.com/news/iranian-hackers-target-us-water-energy-and-government

[6] https://en.wikipedia.org/wiki/2026_Iran_war

[7] https://www.nbcnews.com/tech/security/iran-hack-break-us-industrial-systems-agencies-trump-target-rcna267162

[8] https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

📊

Visual Intelligence

Timeline (5 events)

Nov 25, 2023

The most visible victim was the Municipal Water Authority of Aliquippa, Pennsylvania, where attackers seized control of a booster station monitoring water pressure for Raccoon and Potter Townships on

kinetic

Feb 2, 2024

The US sanctioned six IRGC officials on February 2, 2024, in direct response, and the Rewards for Justice program now offers up to $10 million for information on the group.

kinetic

Feb 28, 2026

On February 28, 2026, the United States and Israel launched Operation Epic Fury, a coordinated airstrike campaign against Iranian military and leadership targets that killed Supreme Leader Ali Khamene

kinetic

United States, Iran, Israel

Feb 28, 2026

The attacks accelerated immediately after Operation Epic Fury began on February 28, 2026.

kinetic

Apr 7, 2026

cyber

US, Iran, NSA, CISA, FBI

Entity Graph (10 entities, 14 relationships)

country organization ip

Diamond Model

Adversary

Unknown

Capability

Unknown

Infrastructure

159.100.6.69 1.1.1.1 1.0.0.1

Victim

NSA CISA FBI

---

Hunt Guide: Hunt Report: CyberAv3ngers Industrial Control System Disruption Campaign

Hypothesis: If CyberAv3ngers/IRGC-affiliated actors are active in our environment, we expect to observe unauthorized Studio 5000 Logix Designer connections, MQTT C2 traffic on port 8883 to external hosts, DNS over HTTPS from OT segments, and the IOCONTROL malware binary on Linux-based OT/IoT devices.

Intelligence Summary: Iranian IRGC-affiliated CyberAv3ngers have pivoted from targeting Israeli-made Unitronics PLCs to disrupting Rockwell Automation/Allen-Bradley controllers across US water, energy, and government sectors since March 2026, using legitimate engineering software and custom IOCONTROL malware. This campaign represents a direct retaliation for Operation Epic Fury and demonstrates significantly enhanced OT attack capabilities.

Confidence: High | Priority: Critical

Scope

Networks: All OT/ICS networks, water/wastewater SCADA systems, energy management systems, building automation networks, and engineering workstation VLANs
Timeframe: 90 days retrospective (February 1, 2026 to present) to capture pre and post Operation Epic Fury activity
Priority Systems: Rockwell ControlLogix/CompactLogix PLCs, Unitronics Vision Series HMIs, Linux-based OT gateways, engineering workstations with Studio 5000 installed

MITRE ATT&CK Techniques

T1078.001 — Valid Accounts: Default Accounts (Initial Access) [P1]

Exploitation of default or no passwords on Unitronics Vision Series PLCs via TCP port 20256

Splunk SPL:

index=network dest_port=20256 | stats count by src_ip, dest_ip | where count > 5 | lookup threat_intel_ip src_ip OUTPUT threat_score | where threat_score > 0 OR isnull(threat_score)

Elastic KQL:

destination.port:20256 AND NOT source.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)

Sigma Rule:

title: Unitronics PLC Default Port Access
id: a4b3e7f2-9c81-4d56-b123-456789abcdef
status: experimental
description: Detects connections to Unitronics PLC default port 20256
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.t1078.001
logsource:
  category: network_connection
  product: zeek
detection:
  selection:
    dest_port: 20256
  filter:
    src_ip|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  condition: selection and not filter
falsepositives:
  - Legitimate engineering workstation connections
level: high

Baseline legitimate engineering workstations accessing Unitronics devices. Any external source IPs warrant immediate investigation.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

IOCONTROL malware uses MQTT over port 8883 for C2 and DNS over HTTPS via Cloudflare for domain resolution

Splunk SPL:

index=network (dest_port=8883 OR dest_ip IN ("159.100.6.69")) src_ip IN (ot_network_ranges) | eval alert="Potential IOCONTROL C2" | table _time src_ip dest_ip dest_port bytes_out alert

Elastic KQL:

(destination.port:8883 OR destination.ip:"159.100.6.69") AND source.ip:(10.100.0.0/16 OR 172.20.0.0/16)

Sigma Rule:

title: IOCONTROL MQTT C2 Communication
id: b5c4d8f3-2a91-5e67-c234-567890abcdef
status: stable
description: Detects MQTT traffic on port 8883 from OT networks to external hosts
references:
  - https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: any
detection:
  selection_mqtt:
    dest_port: 8883
  selection_src:
    src_ip|cidr:
      - 10.100.0.0/16  # OT network
      - 172.20.0.0/16  # ICS network
  filter_internal:
    dest_ip|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  condition: selection_mqtt and selection_src and not filter_internal
falsepositives:
  - Legitimate cloud-based MQTT brokers (requires baselining)
level: high

MQTT traffic from OT to internet is highly unusual. Also monitor for DNS queries to cloudflare-dns.com from OT segments.

T1565.001 — Data Manipulation: Stored Data Manipulation (Impact) [P1]

Modification of PLC project files and HMI/SCADA displays using Studio 5000 Logix Designer

Splunk SPL:

index=windows (EventCode=4688 OR EventID=1) (CommandLine="*Studio 5000*" OR Image="*RS5000.exe*" OR CommandLine="*RSLogix5000*") | stats count by ComputerName, User, CommandLine | where ComputerName NOT IN (engineering_workstations)

Elastic KQL:

event.code:(4688 OR 1) AND (process.command_line:*Studio\ 5000* OR process.executable:*RS5000.exe* OR process.command_line:*RSLogix5000*) AND NOT host.name:(ENG-WS-01 OR ENG-WS-02)

Sigma Rule:

title: Unauthorized Studio 5000 Logix Designer Execution
id: c6d5e9f4-3b92-6f78-d345-678901bcdef2
status: stable
description: Detects execution of Rockwell Studio 5000 from unauthorized systems
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.impact
  - attack.t1565.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - CommandLine|contains: 'Studio 5000'
    - Image|endswith: '\RS5000.exe'
    - CommandLine|contains: 'RSLogix5000'
  filter:
    ComputerName:
      - ENG-WS-01
      - ENG-WS-02
      - ENG-WS-03
  condition: selection and not filter
falsepositives:
  - New engineering workstations not yet added to filter
level: critical

Maintain strict allowlist of authorized engineering workstations. Any execution outside this list is critical.

T1046 — Network Service Discovery (Discovery) [P2]

Scanning for internet-exposed PLCs on known OT ports

Splunk SPL:

index=firewall action=allowed (dest_port=44818 OR dest_port=20256 OR dest_port=2222) | stats dc(dest_ip) as unique_targets count by src_ip | where unique_targets > 10 | eval alert="PLC Port Scanning"

Elastic KQL:

event.action:"allowed" AND destination.port:(44818 OR 20256 OR 2222) | stats unique_targets=cardinality(destination.ip) by source.ip | where unique_targets > 10

Sigma Rule:

title: OT/PLC Port Scanning Activity
id: d7e6f0a5-4ca3-7089-e456-789012cdef34
status: experimental
description: Detects scanning activity against common PLC/OT ports
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.discovery
  - attack.t1046
logsource:
  category: firewall
  product: any
detection:
  selection:
    action: allowed
    dest_port:
      - 44818  # Rockwell EtherNet/IP
      - 20256  # Unitronics
      - 2222   # Rockwell
      - 502    # Modbus
  timeframe: 5m
  condition: selection | count(dest_ip) by src_ip > 10
falsepositives:
  - Legitimate OT asset discovery tools
level: medium

Correlate with GeoIP data to identify scanning from Iranian or suspicious ASNs.

T1059.004 — Command and Scripting Interpreter: Unix Shell (Execution) [P1]

IOCONTROL deployment via shell script execution on Linux OT/IoT devices

Splunk SPL:

index=linux sourcetype=auditd type=EXECVE (exe="/bin/sh" OR exe="/bin/bash") a0="*iocontrol*" | table _time host user exe a0

Elastic KQL:

event.module:auditd AND event.action:"executed" AND (process.executable:"/bin/sh" OR process.executable:"/bin/bash") AND process.args:*iocontrol*

Sigma Rule:

title: IOCONTROL Malware Execution
id: e8f7a1b6-5db4-8190-f567-890123def456
status: stable
description: Detects execution of IOCONTROL malware on Linux systems
references:
  - https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_binary:
    Image|endswith: '/iocontrol'
  selection_path:
    Image: '/usr/bin/iocontrol'
  selection_cmdline:
    CommandLine|contains: 'iocontrol'
  condition: selection_binary or selection_path or selection_cmdline
falsepositives:
  - Unknown
level: critical

Focus on OT/IoT devices running embedded Linux. Check for file creation in /usr/bin/.

T0883 — Internet Accessible Device (Initial Access) [P1]

Exploitation of internet-facing OT equipment without proper network segmentation

Splunk SPL:

index=firewall src_ip NOT IN (rfc1918) dest_ip IN (ot_assets) (dest_port=44818 OR dest_port=20256) action=allowed | dedup src_ip,dest_ip | eval risk_score=100

Elastic KQL:

source.ip:(NOT 10.0.0.0/8 AND NOT 172.16.0.0/12 AND NOT 192.168.0.0/16) AND destination.ip:(10.100.0.0/16) AND destination.port:(44818 OR 20256) AND event.outcome:"success"

Sigma Rule:

title: Direct Internet Access to OT Device
id: f9a8b2c7-6ec5-9201-g678-901234def567
status: stable
description: Detects direct internet connections to OT/PLC devices
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.t0883
logsource:
  category: firewall
  product: any
detection:
  selection:
    action: allowed
    dest_port:
      - 44818
      - 20256
      - 502
      - 2222
  filter_src:
    src_ip|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  ot_dest:
    dest_ip|cidr:
      - 10.100.0.0/16  # OT network
  condition: selection and not filter_src and ot_dest
falsepositives:
  - Remote vendor support (should be VPN)
level: critical

Any OT device accepting direct internet connections is critical. Implement immediate network segmentation.

Indicators of Compromise

Type	Value	Context
ip	`159.100.6.69`	IOCONTROL malware C2 server
filename	`iocontrol`	IOCONTROL malware binary stored in /usr/bin/
domain	`cloudflare-dns.com`	DNS over HTTPS endpoint used by IOCONTROL for C2 resolution

IOC Sweep Queries (Splunk):

index=* (dest_ip="159.100.6.69" OR src_ip="159.100.6.69") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | eval threat="IOCONTROL C2"

index=linux (source="*auditd*" OR sourcetype=sysmon) (filepath="/usr/bin/iocontrol" OR filename="iocontrol" OR CommandLine="*iocontrol*") | table _time host user action filepath

index=dns (query="cloudflare-dns.com" OR query="1.1.1.1" OR query="1.0.0.1") src_ip IN (ot_network_ranges) | stats count by src_ip, query

YARA Rules

IOCONTROL_Linux_Backdoor — Detects IOCONTROL malware targeting OT/IoT Linux devices

rule IOCONTROL_Linux_Backdoor {
    meta:
        description = "IOCONTROL backdoor targeting OT/IoT devices"
        author = "PEAK Hunt Team"
        date = "2026-04-07"
        reference = "https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol"
        hash = "unknown"
    strings:
        $path1 = "/usr/bin/iocontrol" ascii
        $mqtt1 = "MQTT" ascii
        $mqtt2 = "8883" ascii
        $dns1 = "cloudflare-dns.com" ascii
        $dns2 = "1.1.1.1" ascii
        $c2ip = "159.100.6.69" ascii
        $elf_header = { 7F 45 4C 46 }
    condition:
        $elf_header at 0 and 
        ($path1 or ($mqtt1 and $mqtt2) or $c2ip) and
        any of ($dns*)
}

CyberAv3ngers_Defacement — Detects CyberAv3ngers defacement messages on HMI systems

rule CyberAv3ngers_Defacement {
    meta:
        description = "CyberAv3ngers HMI defacement messages"
        author = "PEAK Hunt Team"
        date = "2026-04-07"
        reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"
    strings:
        $msg1 = "You have been hacked" ascii wide
        $msg2 = "down with Israel" ascii wide nocase
        $msg3 = "CyberAv3ngers" ascii wide nocase
        $msg4 = "Every equipment 'made in Israel'" ascii wide
        $msg5 = "legal target" ascii wide
    condition:
        2 of them
}

Suricata Rules

SID 3000001 — IOCONTROL C2 Communication to 159.100.6.69

alert tcp $HOME_NET any -> 159.100.6.69 8883 (msg:"ET TROJAN IOCONTROL MQTT C2 Communication"; flow:to_server,established; content:"|00 04|MQTT"; offset:2; depth:6; reference:url,claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol; classtype:trojan-activity; sid:3000001; rev:1;)

SID 3000002 — DNS over HTTPS to Cloudflare from OT Network

alert tcp $OT_NET any -> any 443 (msg:"ET POLICY DNS over HTTPS to Cloudflare from OT Network"; flow:to_server,established; tls.sni; content:"cloudflare-dns.com"; reference:url,claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol; classtype:policy-violation; sid:3000002; rev:1;)

SID 3000003 — Unitronics PLC Access on Port 20256

alert tcp any any -> $HOME_NET 20256 (msg:"ET SCADA Unitronics PLC Access Attempt"; flow:to_server; flags:S; reference:url,cisa.gov/news-events/cybersecurity-advisories/aa23-335a; classtype:attempted-recon; sid:3000003; rev:1;)

Data Source Requirements

Source	Required For	Notes
Sysmon	T1059.001, T1565.001, T1059.004	Deploy Sysmon on all Windows engineering workstations and Linux OT gateways
Network Traffic Flow	T1078.001, T1071.001, T1046, T0883	East-West visibility required for OT networks; NetFlow/IPFIX from OT switches
DNS Query Logs	T1071.001	DNS logging must capture DoH attempts; consider DNS sinkholing for OT
Firewall Logs	T1078.001, T1046, T0883	Perimeter and inter-VLAN firewalls; must log both allows and denies
Linux Auditd	T1059.004	Required on all Linux-based OT/IoT devices; monitor execve syscalls
Windows Security EventLog	T1565.001	4688 process creation auditing with command lines enabled
Application Logs	T1565.001	Rockwell FactoryTalk logs; PLC configuration change logs

Sources

Found this useful?

Related Reports

Threat IntelApril 10, 2026

Unpatched Adobe Reader Zero-Day Exploited for Months via Weaponized PDFs Targeting Energy and Government Sectors

tacticaladobe-reader

Threat IntelApril 10, 2026

Why Your Security Team Is Blind Without Comprehensive Log Collection

threat detectionsiem

Threat IntelApril 9, 2026

Pacific Crosshairs: Chinese APT Groups and the Cyber Siege on America's Naval Shipyards

tacticalChinese APT

← All Reports

Reports/CyberAv3ngers Pivot to Rockwell PLCs as Iran War Triggers Escalated Attacks on US Water and Energy Systems

CyberAv3ngers Pivot to Rockwell PLCs as Iran War Triggers Escalated Attacks on US Water and Energy Systems

Threat InteltacticalCyberAv3ngersIRGCICS SecurityRockwell Automationhunt-report

April 8, 20264,025 words~17 min read

CyberAv3ngers Pivot to Rockwell PLCs as Iran War Triggers Escalated Attacks on US Water and Energy Systems

CyberAv3ngers: From Defacement to Disruption

CyberAv3ngers is an IRGC-affiliated operation tracked under multiple designations: Hydro Kitten, Storm-0784, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and Shahid Kaveh Group [2].

By 2024, the group had matured. CyberAv3ngers deployed custom malware called IOCONTROL against US water and fuel management systems [5].

The March 2026 Campaign: New Targets, New Tools

IOCONTROL: A Purpose-Built OT Weapon

Claroty's Team82 published detailed analysis of IOCONTROL, the custom malware CyberAv3ngers deployed against IoT and OT devices [8]. Key characteristics:

Platform: Linux-based backdoor with modular configuration designed for IoT/OT environments [8]
C2 Protocol: Communicates via MQTT (Message Queuing Telemetry Transport) over port 8883, a protocol commonly used in industrial and IoT settings [8]
Evasion: Uses DNS over HTTPS (DoH) through the Cloudflare API to resolve C2 infrastructure, making DNS-based detection significantly harder [8]
Binary location: The malware binary iocontrol is stored in /usr/bin/ according to analysis [8]

The choice of MQTT for command and control is deliberate. MQTT traffic is expected on many OT networks, so C2 communications can hide among legitimate sensor and device telemetry.

Sectors and Scope Under Attack

The joint advisory identifies three primary target sectors: Government Services and Facilities, Water and Wastewater Systems, and Energy [1].

IOC Table

Type	Value	Context	Source
IP	`159.100.6.69`	IOCONTROL C2 server	[8]
Filename	`iocontrol`	Malware binary stored in `/usr/bin/`	[8]
Malware	`IOCONTROL`	Custom Linux backdoor targeting IoT/OT devices	[8]
Malware	`Studio 5000 Logix Designer`	Legitimate Rockwell software abused to connect to victim PLCs	[1]

MITRE ATT&CK Mapping

Technique ID	Name	Application
T1078.001	Valid Accounts: Default Accounts	Default/no password exploitation on Unitronics PLCs [2]
T1046	Network Service Scanning	Scanning for internet-exposed PLCs on known ports [2]
T1071.001	Application Layer Protocol: Web Protocols	MQTT over port 8883 for C2; DoH via Cloudflare for DNS resolution [8]
T1565.001	Stored Data Manipulation	Modification of PLC project files and HMI displays [1]
T1059.001	Command and Scripting Interpreter	Shell script execution for malware deployment [8]
T1082	System Information Discovery	Device reconnaissance post-compromise [8]
T0883	Internet Accessible Device	Exploitation of internet-facing OT equipment [2]

Detection and Hunting

Network-Level Indicators:

Monitor for MQTT traffic on port 8883 originating from PLC or OT network segments to external IPs, particularly 159.100.6.69 [8]. MQTT on OT networks is normal between internal devices; outbound MQTT to internet hosts is not.
Alert on DNS over HTTPS (DoH) connections from OT network segments to Cloudflare's DoH endpoints (1.1.1.1, 1.0.0.1, cloudflare-dns.com). OT devices should not be performing encrypted DNS resolution to external providers [8].
Flag any connections from external IPs using Studio 5000 Logix Designer to internal Rockwell/Allen-Bradley controllers. Legitimate engineering sessions should originate from known internal workstations [1].

Host-Level Indicators:

Search Linux-based OT and IoT devices for /usr/bin/iocontrol binary [8].
On Unitronics devices, check for connections on TCP port 20256 from unrecognized source IPs [2].

SIEM/Log Queries:

index=network dest_port=8883 NOT src_ip IN (known_ot_internal_ranges) to identify anomalous MQTT connections.
index=dns query="cloudflare-dns.com" src_ip IN (ot_network_ranges) for DoH from OT segments.
index=firewall action=allowed dest_port=44818 src_ip NOT IN (engineering_workstations) for unauthorized EtherNet/IP connections to Rockwell controllers (default port 44818).

Behavioral:

Unexpected PLC program changes, firmware modifications, or HMI display alterations outside scheduled maintenance windows are high-fidelity indicators [1].
Any PLC displaying defacement messages or political imagery warrants immediate isolation and forensic response [2].

Analysis

🐑

Red Sheep Assessment

Confidence: Moderate-High

🛡️

Defender's Checklist

▢[ ] Audit all internet-facing Rockwell Automation/Allen-Bradley and Unitronics PLCs. Remove from direct internet exposure immediately. Use shodan or censys queries for your own IP ranges targeting ports 44818 (EtherNet/IP), 20256 (Unitronics), and 2222 (Rockwell) to identify exposed assets [1] [2].
▢[ ] Restrict Studio 5000 Logix Designer connections to a strict allowlist of authorized engineering workstation IPs. Block all other source IPs at the network level. Log every connection attempt [1].
▢[ ] Hunt for IOCONTROL indicators on Linux-based OT/IoT devices: search for /usr/bin/iocontrol and outbound MQTT on port 8883 to external hosts [8].
▢[ ] Change all default credentials on Unitronics Vision Series PLCs (default password: 1111). Disable unauthenticated access on TCP port 20256 [2].
▢[ ] Monitor for DNS over HTTPS from OT network segments. Block DoH at the network perimeter for OT VLANs, or at minimum alert on it. OT devices have no legitimate reason to use encrypted DNS to external resolvers [8].

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a

[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

[3] https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html

[4] https://www.cbsnews.com/pittsburgh/news/municipal-water-authority-of-aliquippa-hacked-iranian-backed-cyber-group/

[5] https://www.prismnews.com/news/iranian-hackers-target-us-water-energy-and-government

[6] https://en.wikipedia.org/wiki/2026_Iran_war

[7] https://www.nbcnews.com/tech/security/iran-hack-break-us-industrial-systems-agencies-trump-target-rcna267162

[8] https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

📊

Visual Intelligence

Timeline (5 events)

Nov 25, 2023

The most visible victim was the Municipal Water Authority of Aliquippa, Pennsylvania, where attackers seized control of a booster station monitoring water pressure for Raccoon and Potter Townships on

kinetic

Feb 2, 2024

The US sanctioned six IRGC officials on February 2, 2024, in direct response, and the Rewards for Justice program now offers up to $10 million for information on the group.

kinetic

Feb 28, 2026

kinetic

United States, Iran, Israel

Feb 28, 2026

The attacks accelerated immediately after Operation Epic Fury began on February 28, 2026.

kinetic

Apr 7, 2026

cyber

US, Iran, NSA, CISA, FBI

Entity Graph (10 entities, 14 relationships)

country organization ip

Diamond Model

Adversary

Unknown

Capability

Unknown

Infrastructure

159.100.6.69 1.1.1.1 1.0.0.1

Victim

NSA CISA FBI

---

Hunt Guide: Hunt Report: CyberAv3ngers Industrial Control System Disruption Campaign

Confidence: High | Priority: Critical

Scope

Networks: All OT/ICS networks, water/wastewater SCADA systems, energy management systems, building automation networks, and engineering workstation VLANs
Timeframe: 90 days retrospective (February 1, 2026 to present) to capture pre and post Operation Epic Fury activity
Priority Systems: Rockwell ControlLogix/CompactLogix PLCs, Unitronics Vision Series HMIs, Linux-based OT gateways, engineering workstations with Studio 5000 installed

MITRE ATT&CK Techniques

T1078.001 — Valid Accounts: Default Accounts (Initial Access) [P1]

Exploitation of default or no passwords on Unitronics Vision Series PLCs via TCP port 20256

Splunk SPL:

index=network dest_port=20256 | stats count by src_ip, dest_ip | where count > 5 | lookup threat_intel_ip src_ip OUTPUT threat_score | where threat_score > 0 OR isnull(threat_score)

Elastic KQL:

destination.port:20256 AND NOT source.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)

Sigma Rule:

title: Unitronics PLC Default Port Access
id: a4b3e7f2-9c81-4d56-b123-456789abcdef
status: experimental
description: Detects connections to Unitronics PLC default port 20256
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.t1078.001
logsource:
  category: network_connection
  product: zeek
detection:
  selection:
    dest_port: 20256
  filter:
    src_ip|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  condition: selection and not filter
falsepositives:
  - Legitimate engineering workstation connections
level: high

Baseline legitimate engineering workstations accessing Unitronics devices. Any external source IPs warrant immediate investigation.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

IOCONTROL malware uses MQTT over port 8883 for C2 and DNS over HTTPS via Cloudflare for domain resolution

Splunk SPL:

index=network (dest_port=8883 OR dest_ip IN ("159.100.6.69")) src_ip IN (ot_network_ranges) | eval alert="Potential IOCONTROL C2" | table _time src_ip dest_ip dest_port bytes_out alert

Elastic KQL:

(destination.port:8883 OR destination.ip:"159.100.6.69") AND source.ip:(10.100.0.0/16 OR 172.20.0.0/16)

Sigma Rule:

title: IOCONTROL MQTT C2 Communication
id: b5c4d8f3-2a91-5e67-c234-567890abcdef
status: stable
description: Detects MQTT traffic on port 8883 from OT networks to external hosts
references:
  - https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: any
detection:
  selection_mqtt:
    dest_port: 8883
  selection_src:
    src_ip|cidr:
      - 10.100.0.0/16  # OT network
      - 172.20.0.0/16  # ICS network
  filter_internal:
    dest_ip|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  condition: selection_mqtt and selection_src and not filter_internal
falsepositives:
  - Legitimate cloud-based MQTT brokers (requires baselining)
level: high

MQTT traffic from OT to internet is highly unusual. Also monitor for DNS queries to cloudflare-dns.com from OT segments.

T1565.001 — Data Manipulation: Stored Data Manipulation (Impact) [P1]

Modification of PLC project files and HMI/SCADA displays using Studio 5000 Logix Designer

Splunk SPL:

index=windows (EventCode=4688 OR EventID=1) (CommandLine="*Studio 5000*" OR Image="*RS5000.exe*" OR CommandLine="*RSLogix5000*") | stats count by ComputerName, User, CommandLine | where ComputerName NOT IN (engineering_workstations)

Elastic KQL:

event.code:(4688 OR 1) AND (process.command_line:*Studio\ 5000* OR process.executable:*RS5000.exe* OR process.command_line:*RSLogix5000*) AND NOT host.name:(ENG-WS-01 OR ENG-WS-02)

Sigma Rule:

title: Unauthorized Studio 5000 Logix Designer Execution
id: c6d5e9f4-3b92-6f78-d345-678901bcdef2
status: stable
description: Detects execution of Rockwell Studio 5000 from unauthorized systems
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.impact
  - attack.t1565.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - CommandLine|contains: 'Studio 5000'
    - Image|endswith: '\RS5000.exe'
    - CommandLine|contains: 'RSLogix5000'
  filter:
    ComputerName:
      - ENG-WS-01
      - ENG-WS-02
      - ENG-WS-03
  condition: selection and not filter
falsepositives:
  - New engineering workstations not yet added to filter
level: critical

Maintain strict allowlist of authorized engineering workstations. Any execution outside this list is critical.

T1046 — Network Service Discovery (Discovery) [P2]

Scanning for internet-exposed PLCs on known OT ports

Splunk SPL:

index=firewall action=allowed (dest_port=44818 OR dest_port=20256 OR dest_port=2222) | stats dc(dest_ip) as unique_targets count by src_ip | where unique_targets > 10 | eval alert="PLC Port Scanning"

Elastic KQL:

event.action:"allowed" AND destination.port:(44818 OR 20256 OR 2222) | stats unique_targets=cardinality(destination.ip) by source.ip | where unique_targets > 10

Sigma Rule:

title: OT/PLC Port Scanning Activity
id: d7e6f0a5-4ca3-7089-e456-789012cdef34
status: experimental
description: Detects scanning activity against common PLC/OT ports
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.discovery
  - attack.t1046
logsource:
  category: firewall
  product: any
detection:
  selection:
    action: allowed
    dest_port:
      - 44818  # Rockwell EtherNet/IP
      - 20256  # Unitronics
      - 2222   # Rockwell
      - 502    # Modbus
  timeframe: 5m
  condition: selection | count(dest_ip) by src_ip > 10
falsepositives:
  - Legitimate OT asset discovery tools
level: medium

Correlate with GeoIP data to identify scanning from Iranian or suspicious ASNs.

T1059.004 — Command and Scripting Interpreter: Unix Shell (Execution) [P1]

IOCONTROL deployment via shell script execution on Linux OT/IoT devices

Splunk SPL:

index=linux sourcetype=auditd type=EXECVE (exe="/bin/sh" OR exe="/bin/bash") a0="*iocontrol*" | table _time host user exe a0

Elastic KQL:

event.module:auditd AND event.action:"executed" AND (process.executable:"/bin/sh" OR process.executable:"/bin/bash") AND process.args:*iocontrol*

Sigma Rule:

title: IOCONTROL Malware Execution
id: e8f7a1b6-5db4-8190-f567-890123def456
status: stable
description: Detects execution of IOCONTROL malware on Linux systems
references:
  - https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_binary:
    Image|endswith: '/iocontrol'
  selection_path:
    Image: '/usr/bin/iocontrol'
  selection_cmdline:
    CommandLine|contains: 'iocontrol'
  condition: selection_binary or selection_path or selection_cmdline
falsepositives:
  - Unknown
level: critical

Focus on OT/IoT devices running embedded Linux. Check for file creation in /usr/bin/.

T0883 — Internet Accessible Device (Initial Access) [P1]

Exploitation of internet-facing OT equipment without proper network segmentation

Splunk SPL:

index=firewall src_ip NOT IN (rfc1918) dest_ip IN (ot_assets) (dest_port=44818 OR dest_port=20256) action=allowed | dedup src_ip,dest_ip | eval risk_score=100

Elastic KQL:

source.ip:(NOT 10.0.0.0/8 AND NOT 172.16.0.0/12 AND NOT 192.168.0.0/16) AND destination.ip:(10.100.0.0/16) AND destination.port:(44818 OR 20256) AND event.outcome:"success"

Sigma Rule:

title: Direct Internet Access to OT Device
id: f9a8b2c7-6ec5-9201-g678-901234def567
status: stable
description: Detects direct internet connections to OT/PLC devices
author: PEAK Hunt Team
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.t0883
logsource:
  category: firewall
  product: any
detection:
  selection:
    action: allowed
    dest_port:
      - 44818
      - 20256
      - 502
      - 2222
  filter_src:
    src_ip|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  ot_dest:
    dest_ip|cidr:
      - 10.100.0.0/16  # OT network
  condition: selection and not filter_src and ot_dest
falsepositives:
  - Remote vendor support (should be VPN)
level: critical

Any OT device accepting direct internet connections is critical. Implement immediate network segmentation.

Indicators of Compromise

Type	Value	Context
ip	`159.100.6.69`	IOCONTROL malware C2 server
filename	`iocontrol`	IOCONTROL malware binary stored in /usr/bin/
domain	`cloudflare-dns.com`	DNS over HTTPS endpoint used by IOCONTROL for C2 resolution

IOC Sweep Queries (Splunk):

index=* (dest_ip="159.100.6.69" OR src_ip="159.100.6.69") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | eval threat="IOCONTROL C2"

index=linux (source="*auditd*" OR sourcetype=sysmon) (filepath="/usr/bin/iocontrol" OR filename="iocontrol" OR CommandLine="*iocontrol*") | table _time host user action filepath

index=dns (query="cloudflare-dns.com" OR query="1.1.1.1" OR query="1.0.0.1") src_ip IN (ot_network_ranges) | stats count by src_ip, query

YARA Rules

IOCONTROL_Linux_Backdoor — Detects IOCONTROL malware targeting OT/IoT Linux devices

rule IOCONTROL_Linux_Backdoor {
    meta:
        description = "IOCONTROL backdoor targeting OT/IoT devices"
        author = "PEAK Hunt Team"
        date = "2026-04-07"
        reference = "https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol"
        hash = "unknown"
    strings:
        $path1 = "/usr/bin/iocontrol" ascii
        $mqtt1 = "MQTT" ascii
        $mqtt2 = "8883" ascii
        $dns1 = "cloudflare-dns.com" ascii
        $dns2 = "1.1.1.1" ascii
        $c2ip = "159.100.6.69" ascii
        $elf_header = { 7F 45 4C 46 }
    condition:
        $elf_header at 0 and 
        ($path1 or ($mqtt1 and $mqtt2) or $c2ip) and
        any of ($dns*)
}

CyberAv3ngers_Defacement — Detects CyberAv3ngers defacement messages on HMI systems

rule CyberAv3ngers_Defacement {
    meta:
        description = "CyberAv3ngers HMI defacement messages"
        author = "PEAK Hunt Team"
        date = "2026-04-07"
        reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"
    strings:
        $msg1 = "You have been hacked" ascii wide
        $msg2 = "down with Israel" ascii wide nocase
        $msg3 = "CyberAv3ngers" ascii wide nocase
        $msg4 = "Every equipment 'made in Israel'" ascii wide
        $msg5 = "legal target" ascii wide
    condition:
        2 of them
}

Suricata Rules

SID 3000001 — IOCONTROL C2 Communication to 159.100.6.69

alert tcp $HOME_NET any -> 159.100.6.69 8883 (msg:"ET TROJAN IOCONTROL MQTT C2 Communication"; flow:to_server,established; content:"|00 04|MQTT"; offset:2; depth:6; reference:url,claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol; classtype:trojan-activity; sid:3000001; rev:1;)

SID 3000002 — DNS over HTTPS to Cloudflare from OT Network

alert tcp $OT_NET any -> any 443 (msg:"ET POLICY DNS over HTTPS to Cloudflare from OT Network"; flow:to_server,established; tls.sni; content:"cloudflare-dns.com"; reference:url,claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol; classtype:policy-violation; sid:3000002; rev:1;)

SID 3000003 — Unitronics PLC Access on Port 20256

alert tcp any any -> $HOME_NET 20256 (msg:"ET SCADA Unitronics PLC Access Attempt"; flow:to_server; flags:S; reference:url,cisa.gov/news-events/cybersecurity-advisories/aa23-335a; classtype:attempted-recon; sid:3000003; rev:1;)

Data Source Requirements

Source	Required For	Notes
Sysmon	T1059.001, T1565.001, T1059.004	Deploy Sysmon on all Windows engineering workstations and Linux OT gateways
Network Traffic Flow	T1078.001, T1071.001, T1046, T0883	East-West visibility required for OT networks; NetFlow/IPFIX from OT switches
DNS Query Logs	T1071.001	DNS logging must capture DoH attempts; consider DNS sinkholing for OT
Firewall Logs	T1078.001, T1046, T0883	Perimeter and inter-VLAN firewalls; must log both allows and denies
Linux Auditd	T1059.004	Required on all Linux-based OT/IoT devices; monitor execve syscalls
Windows Security EventLog	T1565.001	4688 process creation auditing with command lines enabled
Application Logs	T1565.001	Rockwell FactoryTalk logs; PLC configuration change logs

Sources

Found this useful?

Related Reports

Threat IntelApril 10, 2026