{"id":13722222,"url":"https://github.com/neutrinoguy/awesome-ics-writeups","last_synced_at":"2025-05-07T14:31:17.557Z","repository":{"id":60923532,"uuid":"325583534","full_name":"neutrinoguy/awesome-ics-writeups","owner":"neutrinoguy","description":"Collection of writeups on ICS/SCADA security. ","archived":false,"fork":false,"pushed_at":"2025-03-22T05:20:45.000Z","size":37,"stargazers_count":170,"open_issues_count":0,"forks_count":25,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-23T00:02:24.221Z","etag":null,"topics":["awesome","awesome-list","hacking","hardware-hacking","ics","ics-security","infosec","scada","scada-security","writeups"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neutrinoguy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-12-30T15:23:56.000Z","updated_at":"2025-04-17T13:01:01.000Z","dependencies_parsed_at":"2023-12-25T07:27:53.310Z","dependency_job_id":"fc12b499-b2e7-49f6-8e61-107d0a7a8d8e","html_url":"https://github.com/neutrinoguy/awesome-ics-writeups","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neutrinoguy%2Fawesome-ics-writeups","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neutrinoguy%2Fawesome-ics-writeups/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neutrinoguy%2Fawesome-ics-writeups/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neutrinoguy%2Fawesome-ics-writeups/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neutrinoguy","download_url":"https://codeload.github.com/neutrinoguy/awesome-ics-writeups/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252542059,"owners_count":21764907,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","awesome-list","hacking","hardware-hacking","ics","ics-security","infosec","scada","scada-security","writeups"],"created_at":"2024-08-03T01:01:26.072Z","updated_at":"2025-05-07T14:31:17.545Z","avatar_url":"https://github.com/neutrinoguy.png","language":null,"funding_links":[],"categories":["Learning Resources!!","Table of Contents","Others"],"sub_categories":["Free","Awesome Repos"],"readme":"# Awesome ICS/SCADA Writeups\n\n![awesome badge](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)\n![GitHub Repo stars](https://img.shields.io/github/stars/neutrinoguy/awesome-ics-writeups?style=flat-square)\n![GitHub last commit](https://img.shields.io/github/last-commit/neutrinoguy/awesome-ics-writeups?style=flat-square)\n----------\n\nA collection of writeups related to ICS/SCADA hacking. This covers areas like OT, IoT and IIoT. It includes exploitation writeups, vendor blogs, talks, CTF writeups etc. \n\n:new: Awesome ICS/SCADA/OT related videos can be found here: [Awesome-ICS-Videos](awesome-ics-videos.md)\n\n:full_moon: = Full details \n:first_quarter_moon: = Partial details\n:new_moon: = No details \n\n:warning: **Disclaimer: The work linked here is solely owned by the respective authors. This is just a collection of them.** :warning:\n\n### Airbus\n- https://airbus-cyber-security.com/remote-code-execution-on-ecostruxure-plc-simulator/ [:full_moon:]\n- https://airbus-cyber-security.com/abusing-a-shared-memory-for-getting-a-local-privilege-escalation-on-the-schneider-electric-modbus-serial-driver-cve-2020-7523/ [:full_moon:]\n- https://airbus-cyber-security.com/applying-a-stuxnet-type-attack-to-a-modicon-plc/ [:full_moon:]\n\n### Applied Risk\n- https://applied-risk.com/resources/multiple-vulnerabilities-in-moxa-iologik-e1200-series\n- https://applied-risk.com/resources/exploiting-a-kunbus-gateway-module-for-modbus-tcp-2\n- https://applied-risk.com/resources/ge_ifix_advisory\n\n### Armis\n- https://info.armis.com/rs/645-PDC-047/images/Urgent11%20Technical%20White%20Paper.pdf\n- https://www.armis.com/research/modipwn/ \n- https://www.armis.com/research/pwnedpiper/\n\n### AWESEC\n- https://awesec.com/advisories/AWE-2022-059.html\n\n\n\n### Claroty\n- https://www.claroty.com/2020/05/14/security-flaws-in-software-based-plc-enable-remote-code-execution-on-windows-box/\n- https://www.claroty.com/2020/11/10/blog-research-schneider-m221-plcs/\n- https://www.claroty.com/2020/12/17/blog-research-rce-vulnerability-in-wago-firmware/\n- https://www.claroty.com/2020/07/15/cve-2020-14511/\n- https://www.claroty.com/2020/05/28/eds-subsystem-vulnerabilities-expose-ot-assets-to-malicious-file-delivery/\n- https://www.claroty.com/2021/05/28/blog-research-race-to-native-code-execution-in-plcs/\n- https://www.claroty.com/2021/02/25/blog-research-critical-authentication-bypass-in-rockwell-software/\n- https://www.claroty.com/2021/03/23/blog-research-vulnerabilities-in-tbox-rtus/\n- https://www.claroty.com/2021/04/01/blog-research-critical-vulnerabilities-found-in-rockwell-factorytalk-assetcentre/\n- https://www.claroty.com/2021/08/31/blog-research-crashing-sip-clients-with-a-single-slash/\n- https://www.claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/\n- https://www.claroty.com/2021/12/13/blog-research-bugs-in-the-cloud-how-one-vulnerability-exposed-offline-devices-to-a-security-risk/\n- https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/\n- https://www.claroty.com/2022/02/10/blog-research-securing-network-management-systems-moxa-mxview/\n- https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automation-plcs/\n- https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/\n- https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-execution-exploiting-vulnerabilities-in-xinje-plc-program-tool/\n- https://claroty.com/2022/06/16/blog-research-securing-network-management-systems-part-3-siemens-sinec-nms/\n- https://claroty.com/team82/research/white-papers/evil-plc-attack-weaponizing-plcs\n- https://claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices\n- https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs-using-rce-to-uncover-siemens-simatic-s7-1200-1500-hardcoded-cryptographic-keys\n- https://claroty.com/team82/research/an-oil-and-gas-weak-spot-flow-computers\n- https://claroty.com/team82/research/hacking-ics-historians-the-pivot-point-from-it-to-ot\n- https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-against-smart-intercoms\n- https://claroty.com/team82/research/triple-threat-breaking-teltonika-routers-three-ways\n- https://claroty.com/team82/research/the-path-to-the-cloud-is-filled-with-holes-exploiting-4g-edge-routers\n- https://claroty.com/team82/research/dicom-demystified-exploring-the-underbelly-of-medical-imaging\n- https://claroty.com/team82/research/opc-ua-deep-dive-history-of-the-opc-ua-protocol (OPC-UA Series)\n- https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware (ICS Malware)\n- https://claroty.com/team82/research/exploiting-a-classic-deserialization-vulnerability-in-siemens-simatic-energy-manager\n- https://claroty.com/team82/research/exploiting-honeywell-controledge-virtualuoc \n- https://claroty.com/team82/research/threat-modeling-industrial-environments-using-virtual-factories-part-1\n- https://claroty.com/team82/research/practical-and-theoretical-attacks-in-the-industrial-landscape-part-2\n- https://claroty.com/team82/research/bypassing-rockwell-automation-logix-controllers-local-chassis-security-protection\n- https://claroty.com/team82/research/mms-under-the-microscope-examining-the-security-of-a-power-automation-standard\n- https://claroty.com/team82/research/delving-into-windows-ce-lets-build-an-embedded-windows-application\n- https://claroty.com/team82/research/delving-into-windows-ce-part-2-analyzing-windows-ce-debugging-constructs\n- https://claroty.com/team82/research/hack-the-emulated-planet-vulnerability-hunting-on-planet-wgs-804hpt-industrial-switches\n- https://claroty.com/team82/research/the-insecure-iot-cloud-strikes-again-rce-on-ruijie-cloud-connected-devices\n- https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol (ICS Malware)\n\n\n\n\n### Compass Security\n- https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-1-how-it-all-started/\n- https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-2-exploring-the-attack-surface/\n- https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-3-exploration/\n- https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-4-memory-corruption-analysis/\n- https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-5-the-exploit/\n- https://blog.compass-security.com/2024/08/a-patchdiffing-journey-tp-link-omada/\n\n\n### CrowdStrike\n- https://www.crowdstrike.com/blog/how-to-pwn2own-the-cisco-rv340-router/\n\n\n### CyberDanube\n- https://cyberdanube.com/security-research/authenticated-remote-code-execution-in-ewon-flexy-205/\n- https://cyberdanube.com/security-research/multiple-vulnerabilities-in-abb-ac500v3/\n- https://cyberdanube.com/security-research/st-polten-uas-path-traversal-in-korenix-jetport/\n- https://cyberdanube.com/security-research/st-polten-uas-stored-cross-site-scripting-in-seh-utnserver-pro/\n- https://cyberdanube.com/security-research/st-polten-uas-multiple-vulnerabilities-in-oring-iap/\n- https://cyberdanube.com/security-research/multiple-vulnerabilities-in-riello-netman-204/\n- https://cyberdanube.com/security-research/authenticated-command-injection-in-helmholz-rex100-router/\n- https://cyberdanube.com/security-research/multiple-vulnerabilities-in-perten-processplus/\n- https://cyberdanube.com/security-research/multiple-vulnerabilities-in-korenix-jetport/\n- https://cyberdanube.com/security-research/multiple-vulnerabilities-in-seh-untserver-pro/\n- https://cyberdanube.com/security-research/multiple-vulnerabilities-in-advantech-eki-15xx-series/\n- https://cyberdanube.com/security-research/authenticated-command-injection-in-hirschmann-belden-bat-c2/\n- https://cyberdanube.com/security-research/multiple-vulnerabilities-in-delta-electronics-dx-2100-l1-cn/\n- https://cyberdanube.com/security-research/authenticated-command-injection-in-delta-electronics-dvw-w02w2-e2/\n\n\n### CyberArk\n- https://www.cyberark.com/resources/threat-research-blog/bug-hunting-stories-schneider-electric-the-andover-continuum-web-client\n\n### Cynerio\n- https://assets.website-files.com/5d2ad783e06f4c19469d363a/625551dd440d0b187fa96d38_JekyllBot-5-Vulnerability-Disclosure-Report.pdf\n\n### Dragos\n- https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf [Malware]\n- https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/\n- https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_SB_COSMICENERGY_June23_FINAL_WEB.pdf [Malware]\n\n### Tenable\n - https://medium.com/tenable-techblog/plc-bug-hunt-fa3a0aeae9ab\n - https://medium.com/tenable-techblog/examining-crypto-and-bypassing-authentication-in-schneider-electric-plcs-m340-m580-f37cf9f3ff34\n - https://www.tenable.com/security/research/tra-2021-50\n - https://www.tenable.com/security/research/tra-2021-47\n - https://www.tenable.com/security/research/tra-2021-40\n - https://www.tenable.com/security/research/tra-2021-28\n - https://www.tenable.com/security/research/tra-2021-24\n - https://www.tenable.com/security/research/tra-2021-51\n - https://medium.com/tenable-techblog/arris-cable-modem-teardown-5e294b7007eb\n - https://www.tenable.com/security/research/tra-2022-33\n - https://www.tenable.com/security/research/tra-2022-32\n - https://www.tenable.com/security/research/tra-2022-23\n - https://www.tenable.com/security/research/tra-2022-22\n - https://www.tenable.com/security/research/tra-2022-13\n - https://www.tenable.com/security/research/tra-2023-13\n - https://www.tenable.com/security/research/tra-2022-22\n\n\n### Trend Micro\n- https://documents.trendmicro.com/assets/wp/wp-industrial-robot-security.pdf\n- https://www.trendmicro.com/en_us/research/20/e/fake-company-real-threats-building-a-fake-manufacturing-system-for-a-sting.html\n- https://www.trendmicro.com/en_us/research/20/e/fake-company-real-threats-the-reality-of-cyberattacks-on-factories.html\n- https://documents.trendmicro.com/assets/wp/wp-hacker-machine-interface.pdf  \n\n\n### Kaspersky\n- https://ics-cert.kaspersky.com/reports/2018/03/12/somebodys-watching-when-cameras-are-more-than-just-smart/\n- https://ics-cert.kaspersky.com/reports/2018/02/28/iot-hack-how-to-break-a-smart-home-again/\n- https://ics-cert.kaspersky.com/reports/2019/01/22/security-research-thingspro-suite-iiot-gateway-and-device-manager-by-moxa/\n- https://ics-cert.kaspersky.com/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-1/\n- https://ics-cert.kaspersky.com/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-2/\n- https://ics-cert.kaspersky.com/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-3/\n- https://ics-cert.kaspersky.com/reports/2020/10/08/montysthree-industrial-espionage-with-steganography-and-a-russian-accent-on-both-sides/\n- https://ics-cert.kaspersky.com/publications/reports/2022/05/23/isapwn-research-on-the-security-of-isagraf-runtime/\n- https://ics-cert.kaspersky.com/publications/reports/2022/09/29/the-secrets-of-schneider-electrics-umas-protocol/\n\n\n### Fireeye\n - https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html\n - https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html\n - https://www.fireeye.com/blog/threat-research/2018/05/rooting-logitech-harmony-hub-improving-iot-security.html\n - https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-one.html\n - https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-two.html\n\n\n### Fortinet\n- https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems [Malware]\n\n\n### Forescout\n- https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/ [:first_quarter_moon:]\n- https://www.forescout.com/company/blog/numberjack-forescout-research-labs-finds-nine-isn-generation-vulnerabilities-affecting-tcpip-stacks/\n- https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/\n- https://www.forescout.com/resources/infrahalt-discovering-mitigating-large-scale-ot-vulnerabilities/\n- https://www.forescout.com/resources/nucleus13-research-report-dissecting-the-nucleus-tcpip-stack/\n- https://www.forescout.com/resources/project-memoria-lookback-report/\n\n### McAfee\n- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hvacking-understanding-the-delta-between-security-and-reality/\n\n### Netresec\n- https://www.netresec.com/?page=Blog\u0026month=2014-11\u0026post=Observing-the-Havex-RAT [Malware]\n- https://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans [Malware]\n- https://www.netresec.com/?page=Blog\u0026month=2012-08\u0026post=SCADA-Network-Forensics-with-IEC-104\n- https://www.netresec.com/?page=Blog\u0026month=2022-04\u0026post=Industroyer2-IEC-104-Analysis [Malware]\n\n\n### NCC Group\n- https://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-digital-pr4100-nas-cve-2022-23121/\n- https://research.nccgroup.com/wp-content/uploads/2022/07/pwn2own-3-bugs-technical-external.pdf\n- https://research.nccgroup.com/wp-content/uploads/2022/07/pwn2own-how-to-win-external.pdf \n\n\n### Onekey\n- https://onekey.com/blog/advisory-festo-cecc-x-m1-command-injection-vulnerabilities/\n- https://onekey.com/blog/security-advisory-wago-unauthenticated-config-export-vulnerability/\n- https://onekey.com/blog/security-advisory-netmodule-multiple-vulnerabilities/ \n\n\n### OTORIO\n- https://www.otorio.com/blog/airlink-acemanager-vulnerabilities/\n- https://go.otorio.com/hubfs/Whitepapers%20and%20Reports/whitepaper%20-%20Industrial%20wireless%20IoT%20research.pdf\n- https://www.otorio.com/blog/exploiting-automation-license-manager-using-dfs-for-pcs-7-takeover/\n- https://www.otorio.com/blog/hijacking-abb-800xa-communication-for-admin-privileges/\n\n\n### Palo Alto\n- https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-suite/\n\n\n\n### Zero day Initiative\n - https://www.zerodayinitiative.com/blog/2020/8/24/cve-2020-10611-achieving-code-execution-on-the-triangle-microworks-scada-data-gateway \n - https://www.zerodayinitiative.com/blog/2020/6/10/a-trio-of-bugs-used-to-exploit-inductive-automation-at-pwn2own-miami \n - https://www.thezdi.com/blog/2020/9/30/the-anatomy-of-a-bug-door-dissecting-two-d-link-router-authentication-bypasses \n - https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami\n - https://www.zerodayinitiative.com/blog/2020/1/15/reliably-finding-and-exploiting-icsscada-bugs\n - https://www.thezdi.com/blog/2020/9/9/performing-sql-backflips-to-achieve-code-execution-on-schneider-electrics-ecostruxure-operator-terminal-expert-at-pwn2own-miami-2020\n - https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization\n - https://www.zerodayinitiative.com/blog/2023/9/7/looking-at-the-chargepoint-home-flex-threat-landscape\n - https://www.zerodayinitiative.com/blog/2024/10/2/from-pwn2own-automotive-more-autel-maxicharger-vulnerabilities\n - https://www.zerodayinitiative.com/blog/2024/8/22/from-pwn2own-automotive-taking-over-the-autel-maxicharger\n - https://www.zerodayinitiative.com/blog/2024/7/25/multiple-vulnerabilities-in-the-deep-sea-electronics-dse855\n - https://www.zerodayinitiative.com/blog/2024/5/23/mindshare-decapping-chips-for-electromagnetic-fault-injection-emfi\n\n\n### Jfrog (Vdoo)\n- https://www.vdoo.com/blog/vdoo-discovers-significant-vulnerabilities-in-axis-cameras [:full_moon:]\n- https://www.vdoo.com/blog/significant-vulnerability-in-hikvision-cameras [:full_moon:]\n- https://www.vdoo.com/blog/giving-back-securing-open-source-iot-projects [:full_moon:]\n- https://www.vdoo.com/blog/vdoo-has-found-major-vulnerabilities-in-foscam-cameras [:full_moon:]\n- https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework\n- https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered\n\n### Nozomi Networks\n- https://www.nozominetworks.com/downloads/US/Nozomi-Networks-GreyEnergy-Dissecting-the-Malware.pdf [Malware]\n- https://www.nozominetworks.com/downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf [Malware]\n- https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/ [Malware]\n- https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf [Malware]\n- https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/ [Malware]\n- https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2/ [Malware]\n- https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1/\n- https://www.nozominetworks.com/blog/flaws-in-hitachi-relion-650-670-series-ieds-update-mechanism/\n- https://www.nozominetworks.com/blog/protecting-the-phoenix-unveiling-critical-vulnerabilities-in-phoenix-contact-hmi-part-3\n- https://www.nozominetworks.com/blog/dji-mavic-3-drone-research-part-1-firmware-analysis\n- https://www.nozominetworks.com/blog/dji-mavic-3-drone-research-part-2-vulnerability-analysis\n\n\n### Mandiant\n- https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool [Malware]\n- https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks [Malware]\n- https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology [APT]  \n\n### Medigate\n- https://www.medigate.io/lexmark-printers-firmware-extraction-part-a/\n- https://www.medigate.io/lexmark-printers-firmware-extraction-part-b/\n- https://www.medigate.io/lexmark-printers-firmware-extraction-part-c/\n\n### Microsoft\n- https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/\n\n\n### Rapid-7\n- https://www.rapid7.com/blog/post/2019/12/09/how-i-shut-down-a-test-factory-with-a-single-layer-2-packet/\n\n\n### Redballoon Security \n- https://redballoonsecurity.com/siemens-discovery/\n\n### Redfox Security\n- https://redfoxsec.com/blog/plc-hacking-part-1/\n- https://redfoxsec.com/blog/plc-hacking-part-2/\n\n\n### Saiflow \n- https://www.saiflow.com/how-mishandling-of-websockets-can-cause-dos-and-energy-theft/\n- https://www.saiflow.com/hijacking-chargers-identifier-to-cause-dos/\n- https://www.saiflow.com/the-impact-of-api-vulnerabilities-on-csms-services-charging-network-operators-the-use-case-of-abb-chargersync/\n- https://www.saiflow.com/abb-terra-ac-improper-authentication-can-lead-to-evse-takeover-cve-2023-0863-cve-2023-0864/\n\n\n### Scadafence\n- https://www.scadafence.com/wp-content/uploads/2022/04/SCADAfence-Hack-The-Port-Report-2022.pdf [Whitepaper]\n- https://blog.scadafence.com/scadafence-discovers-first-cves-detected-in-alerton-plcs\n\n### Sector7\n- https://sector7.computest.nl/post/2022-07-opc-ua-net-standard-trusted-application-check-bypass/\n- https://sector7.computest.nl/post/2022-07-inductive-automation-ignition-rce/\n\n### SSD Disclousre \n- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/\n\n\n### WeLiveSecurity\n- https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf [Malware]\n- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ [Malware]\n\n### Viettel Security \n- https://blog.viettelcybersecurity.com/security-wall-of-s7commplus-part-1/\n- https://blog.viettelcybersecurity.com/security-wall-of-s7commplus-3/\n\n\n### Miscellaneous\n\n- https://stepfunc.io/blog/tmw-bug-chain-and-rust/  \n- http://muffsec.com/blog/?p=608 \n- https://medium.com/cognite/pwn2own-or-not2pwn-part-1-3f152c44563e [:full_moon:]\n- https://medium.com/cognite/pwn2own-or-not2pwn-part-2-5-a-brief-tale-of-free-0days-e1df142eb815 [:full_moon:]\nhttps://medium.com/cognite/pwn2own-or-not2pwn-part-3-the-lazy-mans-escalation-392fd00a0ec8 [:full_moon:]\n- https://www.jsof-tech.com/wp-content/uploads/2020/06/JSOF_Ripple20_Technical_Whitepaper_June20.pdf [:first_quarter_moon:]\n- https://www.vanimpe.eu/2017/03/23/shodan-telling-us-ics-belgium/\n- http://www.scada.sl/2013/01/sux.html \n- http://www.scada.sl/2018/09/how-to-hack-sd-wan-and-keep-your-sanity.html\n- https://1modm.github.io/CVE-2019-12480.html \n- https://vimeo.com/53806381 [:new_moon:]\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabilities-in-schneider-electric-somachine-and-m221-plc/ [:full_moon:]\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacking-scada-part-ii-vulnerabilities-in-schneider-electric-ecostruxure-machine-expert-and-m221-plc/\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacking-scada-part-iii-hardcoded-salt-in-schneider-electric-ecostruxure-machine-expert-cve-2020-28214/\n- https://ioactive.com/warcodes-attacking-ics-through-industrial-barcode-scanners/\n- https://www.domaintools.com/resources/blog/def-con-ics-ctf [CTF]\n- https://srcincite.io/blog/2020/02/18/silent-schneider-revealing-a-hidden-patch-in-ecostruxure-operator-terminal-expert.html\n- https://www.atredis.com/blog/2018/5/14/ge-healthcare-mac-5500-vulnerabilities\n- https://media.ccc.de/v/34c3-8956-scada_-_gateway_to_s_hell\n- https://www.synacktiv.com/publications/izi-izi-pwn2own-ics-miami.html\n- https://labs.f-secure.com/archive/offensive-ics-exploitation-a-technical-description/ [CTF]\n- https://grimminck.medium.com/running-a-fake-power-plant-on-the-internet-for-a-month-4a624f685aaa \n- https://medium.com/@npcole/packet-modification-attack-on-plc-with-arp-spoofing-mitm-attack-f0c4d58e3e83\n- https://halcyonic.net/2019-04-21-rockwell-zero-day/\n- https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware [Malware]\n- https://isc.sans.edu/forums/diary/Looking+for+malicious+traffic+in+electrical+SCADA+networks+part+1/17967\n- https://isc.sans.edu/forums/diary/Looking+for+malicious+traffic+in+electrical+SCADA+networks+part+2+solving+problems+with+DNP3+Secure+Authentication+Version+5/17981\n- https://isc.sans.edu/forums/diary/Authentication+Issues+between+entities+during+protocol+message+exchange+in+SCADA+Systems/13927\n- https://sergiusechel.medium.com/misconfiguration-in-ilc-gsm-gprs-devices-leaves-over-1-200-ics-devices-vulnerable-to-attacks-over-82c2d4a91561\n- https://www.redtimmy.com/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1/\n- https://trenchant.io/two-lines-of-jscript-for-20000-pwn2own-miami-2022/\n- https://guillaumebour.fr/articles/security_testing_pacemaker_ecosystem/part_1_introduction_context_methodology/ (5 Part Series)\n- https://www.mnemonic.io/resources/blog/reverse-engineering-an-ev-charger/\n- https://www.guidepointsecurity.com/blog/guidepoint-security-researcher-discovers-vulnerability-in-the-integrity-of-common-hmi-client-server-protocol/\n- https://trenchant.io/two-lines-of-jscript-for-20000-pwn2own-miami-2022/\n- https://starlabs.sg/blog/2023/02-gotta-kep-tcha-em-all-bypassing-anti-debugging-methods-in-kepserver/\n- https://www.reversemode.com/2023/04/losing-control-over-schneiders.html\n- https://eclypsium.com/blog/vendor-re-use-opens-the-aperture-on-many-vulnerabilities/\n- https://vulncheck.com/blog/solarview-exploitation\n- https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ [Malware]\n- https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/ [Malware]\n- https://duck.moe/blog/blutacc/ \n- https://sektorcert.dk/wp-content/uploads/2023/11/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf [APT]\n- https://petrusviet.medium.com/cve-2023-50220-inductive-automation-ignition-xml-deserialization-to-rce-7b395412c6cf\n- https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/\n- https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1/\n\n\n \n### Cisco Talos\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1140 [:full_moon:]\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1003 [:first_quarter_moon:]\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0771 [:full_moon:]\n- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0445 [:full_moon:]\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1026\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1025\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1024\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1069\n- https://talosintelligence.com/vulnerability_reports/TALOS-2016-0184\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1144\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0868\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0825\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0827\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0847\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0822\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0824\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1144\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0851\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0823\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0826\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0866\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0867\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0808\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0807\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0736\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0806\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0766\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0735\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0763\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0737\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0764\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0765\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0738\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0745\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0739\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0743\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0768\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0740\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0741\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0769\n- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0742\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0770\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0767\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0868\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0825\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0827\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0847\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0822\n- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0824\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1174\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1184\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1008\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1169\n- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1168\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1236\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1273\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1271\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1272\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1270\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1306\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1304\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1303\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1301\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1302\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1300\n- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1305\n\n\n----------\n**Have a writeup that can fit here, feel free to raise a Pull Request. :octocat:** \n\n*To-do*\n\n- [ ] Classify writeups under separate sections.\n- [ ] Add details classification to each writeup.\n- [ ] Add Contributing Instructions.\n- [ ] Add Conference Talks on ICS/OT/IIoT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneutrinoguy%2Fawesome-ics-writeups","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneutrinoguy%2Fawesome-ics-writeups","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneutrinoguy%2Fawesome-ics-writeups/lists"}