mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.0 KiB
2.0 KiB
SCADA Attack Detection — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| pymodbus | pip install pymodbus |
Modbus TCP client for PLC interaction |
| requests | pip install requests |
SIEM and historian API queries |
Common SCADA Protocols and Ports
| Port | Protocol | Vendor/Use |
|---|---|---|
| 502 | Modbus TCP | Universal PLC communication |
| 102 | S7comm (ISO-TSAP) | Siemens S7 PLCs |
| 44818 | EtherNet/IP CIP | Allen-Bradley / Rockwell |
| 20000 | DNP3 | Power grid, water systems |
| 4840 | OPC-UA | Universal ICS integration |
| 47808 | BACnet | Building automation |
| 34962 | PROFINET RT | Siemens distributed I/O |
Modbus Attack Indicators
| Indicator | Description | Severity |
|---|---|---|
| Broadcast unit ID (0/255) | Access to all devices simultaneously | CRITICAL |
| Write to coils from IT network | Unauthorized process control change | CRITICAL |
| Unusual function codes (8, 17, 43) | Diagnostic/recon commands | HIGH |
| Bulk register reads | Data exfiltration from PLC memory | MEDIUM |
S7comm Connection Request (COTP CR)
| Field | Value | Description |
|---|---|---|
| TPKT version | 0x03 | ISO transport header |
| COTP PDU type | 0xe0 | Connection request |
| Source TSAP | 0x0100 | Client address |
| Destination TSAP | 0x0102 | PLC rack/slot |
MITRE ATT&CK for ICS
| Technique | ID | Description |
|---|---|---|
| Point & Tag Identification | T0861 | Enumerate process data points |
| Unauthorized Command Message | T0855 | Send rogue commands to controller |
| Modify Controller Tasking | T0821 | Change PLC program logic |
| Denial of Service | T0814 | Disrupt SCADA communications |