Detect Rockwell Automation Logix Controllers Insufficient Credential Protection (CVE-2021-22681) in Splunk
CVE-2021-22681 is an insufficient protection of credentials vulnerability (CWE-522) affecting Rockwell Automation multiple products including Logix controllers. An attacker can intercept or obtain weakly protected credentials used to authenticate with Logix controllers, enabling authentication bypass. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and poses critical risk in OT/ICS environments where unauthorized controller access could cause process disruption or physical damage.
MITRE ATT&CK
SPL Detection Query
index=ot_security OR index=network sourcetype IN ("cisco:asa", "pan:traffic", "stream:tcp", "rockwell:logix", "claroty", "nozomi", "dragos")
| eval dest_port=coalesce(dest_port, dpt)
| where dest_port IN (44818, 2222, 2221) OR proto="EtherNet/IP" OR proto="CIP"
| eval is_auth_event=if(match(lower(coalesce(message, payload, description)), "(login|auth|credential|password|session|token)"), 1, 0)
| eval is_logix=if(match(lower(coalesce(dest_host, dvc, product)), "(logix|controllogix|compactlogix|guardlogix|softlogix|drivelogix|rockwell)"), 1, 0)
| where dest_port=44818 OR (is_auth_event=1 AND is_logix=1)
| stats count AS connection_count, values(src_ip) AS source_ips, values(dest_ip) AS controller_ips, earliest(_time) AS first_seen, latest(_time) AS last_seen BY dest_port, proto, dvc
| where connection_count > 0
| eval risk_score=case(is_auth_event=1 AND is_logix=1, 90, dest_port=44818, 60, 1=1, 40)
| sort - risk_scoreDetects connections to Rockwell Logix controllers over EtherNet/IP and CIP protocols, with elevated scoring for authentication-related events that may indicate credential interception or replay attacks exploiting CVE-2021-22681.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized engineering workstations routinely connecting to Logix controllers
- Asset management or vulnerability scanning tools querying CIP/EtherNet/IP
- OEM or integrator remote access sessions
- Historian or SCADA polling of controller data
Other platforms for CVE-2021-22681
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1EtherNet/IP Controller Enumeration via nmap
Expected signal: Network connection events from the scanning host to port 44818 on multiple destination IPs; IDS alerts for CIP/EtherNet/IP enumeration
- Test 2CIP Session Credential Capture via Wireshark
Expected signal: Passive capture produces no active network events; detection depends on promiscuous mode detection or IDS passive analysis alerts
- Test 3RSLinx Classic Unauthorized Connection Attempt
Expected signal: Windows process creation for RSLinx.exe; network connection from non-engineering workstation to controller port 44818; controller audit log entry for unauthorized connection attempt
Unlock Pro Content
Get the full detection package for CVE-2021-22681 including response playbook, investigation guide, and atomic red team tests.