What is a Modbus command injection attack?

A Modbus command injection attack involves an unauthorized actor sending write commands (like Force Single Coil or Preset Multiple Registers) to a PLC to manipulate physical processes or cause operational downtime.

Is this tool safe for production OT environments?

Yes, the provided implementation uses passive sniffing and deep packet inspection, which is significantly safer for sensitive ICS devices than active vulnerability scanning.

Can this skill detect FrostyGoop attacks?

Yes, it includes logic to monitor for the specific types of Modbus TCP manipulations used in FrostyGoop-style incidents that target industrial infrastructure.

Does this skill require specialized hardware?

It requires access to network traffic via a SPAN port or network TAP and utilizes standard Python libraries like Scapy for packet analysis.

Which Modbus function codes are monitored?

The skill monitors both Read (FC 1-4) and Write (FC 5, 6, 15, 16) functions, as well as diagnostic and encapsulated interface transport codes.

Modbus Command Injection Detection

Name: Modbus Command Injection Detection
Author: micsapp

bymicsapp

0•

セキュリティとテスト

Monitors and detects unauthorized write operations, anomalous function codes, and command injection attacks against Modbus TCP/RTU protocols in industrial environments.

This skill empowers Claude to analyze and secure Industrial Control Systems (ICS) by identifying malicious Modbus protocol traffic. It leverages deep packet inspection and baseline validation to detect sophisticated threats like the FrostyGoop attack, unauthorized register modifications, and broadcast write floods. It is an essential utility for OT Security Operations Centers (SOC) and incident responders needing to validate the integrity of SCADA and PLC communications without disrupting sensitive operations.

主な機能

01Identification of dangerous broadcast write commands (Unit ID 0)

020 GitHub stars

03Deep packet inspection for Modbus TCP/RTU protocol frames

04Baseline-driven anomaly detection for function codes and register ranges

05Detection of unauthorized Modbus masters and write operations

06Rate-limiting analysis to identify write-flood attacks

ユースケース

01Investigating unauthorized PLC configuration changes during incident response

02Monitoring OT networks for FrostyGoop-style operational impact attacks

03Validating Modbus communication baselines in SCADA environments

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-modbus-command-injection-attacks

For use in Claude.ai and ChatGPT

主な機能

01Identification of dangerous broadcast write commands (Unit ID 0)

020 GitHub stars

03Deep packet inspection for Modbus TCP/RTU protocol frames

04Baseline-driven anomaly detection for function codes and register ranges

05Detection of unauthorized Modbus masters and write operations

06Rate-limiting analysis to identify write-flood attacks

ユースケース

01Investigating unauthorized PLC configuration changes during incident response

02Monitoring OT networks for FrostyGoop-style operational impact attacks

03Validating Modbus communication baselines in SCADA environments

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-modbus-command-injection-attacks

For use in Claude.ai and ChatGPT