detecting-modbus-command-injection-attacks

Featured

Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized write operations, anomalous function codes, malformed frames, and deviations from established communication baselines using ICS-aware IDS and protocol deep packet inspection.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Modbus Command Injection Attacks ## When to Use - When deploying intrusion detection for environments using Modbus TCP (port 502) or Modbus RTU - When investigating suspected unauthorized modifications to PLC registers or coils - When building detection analytics for OT SOC monitoring Modbus-heavy environments - When responding to FrostyGoop-style attacks that leverage Modbus TCP for operational impact - When performing baseline validation after a suspected compromise of a Modbus master **Do not use** for detecting attacks on non-Modbus protocols (see detecting-dnp3-protocol-anomalies for DNP3), for general IT network intrusion detection, or for Modbus device configuration (see performing-ot-vulnerability-scanning-safely). ## Prerequisites - Network SPAN/TAP on the segment carrying Modbus TCP traffic (typically port 502) - Baseline of normal Modbus communication patterns (masters, slaves, function codes, register ranges, polling intervals) - Suricata, Zeek, or commercial OT IDS deployed with Modbus protocol parsers enabled - Understanding of Modbus function codes used in the environment (read vs write operations) - Access to PLC programming documentation to validate expected register ranges ## Workflow ### Step 1: Build Modbus Communication Baseline Capture and analyze normal Modbus traffic to establish what constitutes legitimate communication patterns. ```python #!/usr/bin/env python3 """Modbus Command Injection Detector. Monitors Modbus TCP traffic fo...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

monitoring-scada-modbus-traffic-anomalies

Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous function code usage, unauthorized register writes, and suspicious communication patterns. The analyst uses deep packet inspection with pymodbus, Scapy, and Zeek to baseline normal PLC/RTU communication behavior, then applies statistical and rule-based anomaly detection to identify reconnaissance, parameter manipulation, and denial-of-service attacks targeting Modbus devices on port 502. Activates for requests involving Modbus traffic analysis, SCADA network monitoring, ICS anomaly detection, PLC security monitoring, or OT network threat detection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-modbus-protocol-anomalies

This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-dnp3-protocol-anomalies

Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns using deep packet inspection and machine learning approaches.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-attacks-on-scada-systems

This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security tools miss.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-anomalies-in-industrial-control-systems

This skill covers deploying anomaly detection systems for industrial control environments using machine learning models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications. It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue devices, and correlating network anomalies with physical process data from historians.

12,642 Updated today
mukul975