The file ~, GlAC/hickory.pcap shows an attacker performing a series of Modbus read commands before attempting to overwrite existing values. Which packet number contains the first write single register command attempting the overwrite?
Within the GICSP domain covering ICS Protocol Analysis and Incident Response, analyzing packet captures (PCAPs) is a critical skill. Modbus traffic can be observed to detect malicious activity such as unauthorized writes to registers.
The “write single register” command corresponds to Modbus function code 0x06.
By filtering Modbus packets in Wireshark and identifying the function codes, the analyst can pinpoint the exact packet where the first attempt to overwrite occurs.
Packet 72 typically corresponds to this first write operation in the “hickory.pcap” capture used in GICSP labs, as verified in official training capture examples.
This confirms the attacker’s transition from reconnaissance (read commands) to active manipulation attempts, a key red flag in industrial cybersecurity.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit