creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-stuxnet-style-attacks/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

98 lines
2.2 KiB
Markdown
Raw Blame History

# API Reference: Stuxnet-Style ICS Attack Detection
## Modbus TCP Protocol
### Frame Structure
| Offset | Size | Field |
|--------|------|-------|
| 0 | 2 | Transaction ID |
| 2 | 2 | Protocol ID (0x0000) |
| 4 | 2 | Length |
| 6 | 1 | Unit ID |
| 7 | 1 | Function Code |
| 8+ | var | Data |
### Write Function Codes (Attack-Relevant)
| Code | Name | Risk |
|------|------|------|
| 5 | Write Single Coil | Medium |
| 6 | Write Single Register | Medium |
| 15 | Write Multiple Coils | High |
| 16 | Write Multiple Registers | High |
| 22 | Mask Write Register | High |
## Siemens S7comm Protocol
### S7 Parameter Functions
| Code | Name |
|------|------|
| 0x04 | Read Variable |
| 0x05 | Write Variable |
| 0x1A | Request Download |
| 0x1B | Download Block |
| 0x1C | Download Ended |
| 0x28 | PLC Control (Start/Stop) |
## Wireshark/tshark Filters
### Modbus write operations
```bash
tshark -r capture.pcap -Y "modbus.func_code >= 5 && modbus.func_code <= 16"
```
### S7comm block downloads
```bash
tshark -r capture.pcap -Y "s7comm.param.func == 0x1a || s7comm.param.func == 0x1b"
```
### S7comm PLC stop/start
```bash
tshark -r capture.pcap -Y "s7comm.param.func == 0x28"
```
## Stuxnet IOC Signatures
### YARA Rule
```yara
rule Stuxnet_Driver {
meta:
description = "Stuxnet rootkit driver"
strings:
$mrxcls = "mrxcls.sys" ascii
$mrxnet = "mrxnet.sys" ascii
$mutex = "{A3BD0EA3-CD10-4258-8784-2F53E56E2010}"
condition:
any of them
}
```
### Registry Keys
```
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
```
## Siemens Step 7 Project Structure
### Organization Blocks
| Block | Purpose |
|-------|---------|
| OB1 | Main program cycle |
| OB35 | 100ms cyclic interrupt |
| OB100 | Startup |
### File Extensions
| Extension | Content |
|-----------|---------|
| `.awl` | Statement List source |
| `.mc7` | Compiled machine code |
| `.s7p` | Project file |
## Snort/Suricata Rules for ICS
```
alert tcp any any -> any 502 (msg:"Modbus Write Multiple Registers";
content:"|00 00|"; offset:2; depth:2;
byte_test:1,=,16,7; sid:1000001;)
```
Reference in New Issue View Git Blame Copy Permalink