This lab demonstrates detection and analysis of unauthorized Modbus RTU write activity (Function Code 06) in an industrial control environment.
The project includes:
- Modbus RTU register manipulation simulation
- Terminal-level RTU transaction proof
- Splunk telemetry ingestion (key=value logging)
- Detection engineering logic
- SOC-style incident documentation
- MITRE ATT&CK (ICS) mapping
Designed to showcase OT-aware SOC analyst capability.
- Industrial protocol analysis (Modbus RTU / RS-485)
- Unauthorized command detection (FC06)
- SIEM ingestion & field extraction (Splunk)
- Detection engineering
- OT business impact analysis
- MITRE ATT&CK (ICS) mapping
- SOC incident documentation workflow
Components
- Raspberry Pi (Modbus RTU client + telemetry forwarder)
- RS-485 Modbus slave device
- Python + minimalmodbus
- Splunk (UDP syslog ingestion)
Simulated a write to a writable configuration register (reg=5).
Workflow:
- Baseline read (FC03)
- Unauthorized write (FC06)
- Verification read (FC03)
- Splunk ingestion of write event
- Alert triggered
| Technique | Description |
|---|---|
| T0855 | Unauthorized Command Message |
| T0831 | Manipulation of Control |
| T0807 | Command-Line Interface |
Unauthorized RTU writes can:
- Manipulate process variables
- Modify configuration parameters
- Cause production disruption
- Create equipment damage or safety risk
This lab detects unauthorized Modbus RTU write activity (Function Code 06) by:
- Logging Modbus transactions as structured key-value telemetry
- Ingesting events into Splunk SIEM
- Creating SPL queries to:
- Detect write function codes (fc=6)
- Identify unexpected register modifications
- Alert on abnormal write frequency
- Triggering a real-time alert for unauthorized write behavior
Example SPL detection:
index=main modbus_rtu_write fc=6 | where reg=5