Reachable Modbus PLC → direct register override
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.
§ Context
Assumed environment: foothold on the OT network (or a poorly-segmented IT/OT shared VLAN). PLC accepts Modbus TCP on 502/tcp.
§ Steps
- 01Setpoint / output deviationImpactT1486— Data Encrypted for Impact
- 02Enumerate registers / coilsDiscoveryT1087— Account Discovery
- 03nmap --script modbus-discoverDiscoveryN-NMAP-INTERNAL— Internal Nmap Sweep
- 04pymodbus write_register / write_coilsImpactOT-MODBUS-WRITE— Modbus TCP Write to PLC
- 05Read PV / setpointsCredential AccessT1040— Network Sniffing
§ References
- T1486Data Encrypted for Impact
- T1087Account Discovery
- T1040Network Sniffing
§ Frequently asked
- What is the "Reachable Modbus PLC → direct register override" attack path?
- Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Setpoint / output deviation (T1486) — a impact primitive. Assumed environment: foothold on the OT network (or a poorly-segmented IT/OT shared VLAN).
- What is the final impact of this kill-chain?
- The final step lands on Read PV / setpoints (T1040), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques4
BACnet HVAC → disrupt building operations
BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.
- Shared techniques2
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
- Shared techniques2
Unauth DICOM PACS → mass medical-image exfil
PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).
- Shared techniques2
z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
- Shared techniques2
LoRaWAN replay → spoof environmental sensor
Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform.
- Shared techniques2
Open MongoDB → dump every collection
Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.