Skip to content
attack.paths
Connexion
← RegistryDossier · 5 steps · 4 edges

Reachable Modbus PLC → direct register override

Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.

Filed by AD Knowledge Base
§ Kill-chainDrag · zoom · scroll

§ Context

Assumed environment: foothold on the OT network (or a poorly-segmented IT/OT shared VLAN). PLC accepts Modbus TCP on 502/tcp.

§ Steps

  1. 01
    Setpoint / output deviationImpact
    T1486Data Encrypted for Impact
  2. 02
    Enumerate registers / coilsDiscovery
    T1087Account Discovery
  3. 03
    nmap --script modbus-discoverDiscovery
    N-NMAP-INTERNALInternal Nmap Sweep
  4. 04
    pymodbus write_register / write_coilsImpact
    OT-MODBUS-WRITEModbus TCP Write to PLC
  5. 05
    Read PV / setpointsCredential Access
    T1040Network Sniffing

§ References

§ Frequently asked

What is the "Reachable Modbus PLC → direct register override" attack path?
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?
The first step is Setpoint / output deviation (T1486) — a impact primitive. Assumed environment: foothold on the OT network (or a poorly-segmented IT/OT shared VLAN).
What is the final impact of this kill-chain?
The final step lands on Read PV / setpoints (T1040), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?
Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers