Modbus TCP Write to PLC
Modbus has no authentication. A reachable PLC accepts unauthenticated 'write single register' / 'write coils' — directly drive outputs / setpoints.
§ Where this technique fits
OT-MODBUS-WRITE is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 5 approved dossiers in the registry, typically at step 4.4 on average.
§ Dossiers chaining this technique
- step 4 / 5
HMI default credentials → operations disruption
Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels.
- step 4 / 5
Open MQTT broker → smart-estate takeover
Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats.
- step 4 / 5
Reachable Modbus PLC → direct register override
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.
- step 5 / 6
Engineering workstation → push payload to PLC
Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.
- step 5 / 5
Zigbee network key sniff → smart-home control
Sniff a fresh device-join with an Atmel RZRAVEN — Zigbee broadcasts the network key in plaintext during pairing. Decrypt all subsequent traffic + send commands.
§ What commonly comes next
- 01Data Encrypted for Impactseen 2×T1486 · Impact
- 02Safety Instrumented System Overrideseen 1×OT-SAFETY-OVERRIDE · Impact
- 03Valid Accountsseen 1×T1078 · Initial Access