What are the prerequisites for using this detection skill?

You need access to network traffic via a SPAN port or TAP on the ICS network segment and an established baseline of normal Modbus communication patterns for your specific environment.

Which Modbus protocols does this skill support?

This skill is designed for Modbus TCP (standard port 502) and provides detection logic that can be adapted for Modbus RTU monitoring via protocol gateways.

Can this skill prevent Modbus attacks in real-time?

This skill is primarily focused on detection and monitoring (IDS). Prevention requires active network security controls like industrial firewalls and network segmentation.

What is Modbus command injection?

Modbus command injection occurs when an attacker sends unauthorized write commands or malicious function codes to a PLC or Modbus device to manipulate industrial processes or disrupt operations.

Modbus Command Injection Detection

Name: Modbus Command Injection Detection
Author: mukul975

bymukul975

•

4,121

•

Security & Testing

Monitors industrial Modbus TCP/RTU traffic to identify and alert on unauthorized command injections and protocol anomalies in OT environments.

This skill equips Claude with specialized knowledge to detect and analyze command injection attacks targeting the Modbus protocol within Industrial Control Systems (ICS). By monitoring for unauthorized write operations, anomalous function codes, malformed frames, and deviations from established communication baselines, it helps security teams identify malicious activity like FrostyGoop-style attacks. The skill provides actionable detection logic using Python and Scapy, allowing for deep packet inspection and mapping of security events to the MITRE ATT&CK for ICS framework to protect SCADA and PLC environments.

Key Features

01Identification of unauthorized Modbus masters and write operations

02Baseline-based anomaly detection for register access and polling intervals

03Deep packet inspection for Modbus TCP/RTU protocol frames

04Detection of high-risk broadcast write attacks targeting Unit ID 0

054,121 GitHub stars

06Automated mapping to MITRE ATT&CK for ICS techniques (T0843, T0855, T0836)

Use Cases

01Investigating unauthorized register modifications during OT incident response

02Validating ICS communication patterns against established security baselines

03Implementing network-based intrusion detection for PLC and SCADA environments

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-modbus-command-injection-attacks

For use in Claude.ai and ChatGPT

Key Features

01Identification of unauthorized Modbus masters and write operations

02Baseline-based anomaly detection for register access and polling intervals

03Deep packet inspection for Modbus TCP/RTU protocol frames

04Detection of high-risk broadcast write attacks targeting Unit ID 0

054,121 GitHub stars

06Automated mapping to MITRE ATT&CK for ICS techniques (T0843, T0855, T0836)

Use Cases

01Investigating unauthorized register modifications during OT incident response

02Validating ICS communication patterns against established security baselines

03Implementing network-based intrusion detection for PLC and SCADA environments

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-modbus-command-injection-attacks

For use in Claude.ai and ChatGPT