detecting-stuxnet-style-attacks

by mukul975

The detecting-stuxnet-style-attacks skill helps defenders detect Stuxnet-like OT and ICS intrusion patterns, including PLC logic tampering, spoofed sensor data, engineering workstation compromise, and IT-to-OT lateral movement. Use it for threat hunting, incident triage, and process-integrity monitoring with protocol, host, and process evidence.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryThreat Hunting

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-stuxnet-style-attacks

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for Agent Skills Finder. It gives directory users enough concrete OT/ICS detection workflow detail—rather than just a generic cybersecurity description—to justify installation, though it still has some adoption caveats around setup and end-to-end usability.

78/100

Strengths

Strong triggerability for a specific use case: Stuxnet-style OT/ICS attack detection, with explicit "When to Use" and "Do not use" guidance.
Operationally useful content is present in both the skill and support files, including Modbus/S7comm indicators, tshark filters, and a Python agent script for PCAP analysis.
Good agent leverage for detection work: it covers PLC logic integrity, process anomaly detection, lateral movement, and IOC-style checks across host and network evidence.

Cautions

No install command in SKILL.md, so users may need to figure out activation/integration steps themselves.
The repo appears detection-focused and technical, but the evidence shown does not fully reveal a polished end-to-end workflow or validation guidance for all scenarios.

Ot Security Ics Scada Industrial Control Apt Modbus Wmi Yara

Overview

Overview of detecting-stuxnet-style-attacks skill

What this skill is for

The detecting-stuxnet-style-attacks skill helps you detect Stuxnet-like cyber-physical intrusion patterns in OT and ICS environments: unauthorized PLC logic changes, spoofed sensor data, engineering workstation compromise, and the IT-to-OT path that enables process manipulation. It is best for defenders doing detecting-stuxnet-style-attacks for Threat Hunting, incident triage, or control-system monitoring where “normal” network alerts are not enough.

Who should use it

Use this detecting-stuxnet-style-attacks skill if you are a SOC analyst, OT security engineer, threat hunter, or purple teamer working on high-value industrial targets. It is especially relevant when you need to connect packet evidence, host indicators, and process behavior into one detection story instead of chasing isolated IOCs.

What makes it different

This skill is not a generic SCADA alerting prompt. It centers on PLC integrity, protocol-level write activity, engineering workstation compromise, and physics-aware anomaly detection. That makes it a better fit when the question is “was the process secretly altered?” rather than “did we see malware traffic?”

How to Use detecting-stuxnet-style-attacks skill

Install and load it

For detecting-stuxnet-style-attacks install, use the repository path in your skills manager: npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-stuxnet-style-attacks. After installation, open skills/detecting-stuxnet-style-attacks/SKILL.md first to confirm scope, then read the supporting files that drive the detection logic.

Start with the right inputs

The skill works best when you provide evidence, not a vague suspicion. Strong inputs include:

a PCAP or packet summary from OT segments
PLC model and protocol details, such as Modbus or S7comm
a timeline of process anomalies or unplanned setpoint changes
engineering workstation events, USB activity, or remote access logs
known-good baselines for PLC logic or process behavior

A weak prompt is “check this network for Stuxnet.” A stronger prompt is: “Analyze this Modbus and S7comm traffic plus endpoint logs for signs of PLC writes, block downloads, and process spoofing consistent with Stuxnet-style manipulation.”

Read the files in this order

For practical detecting-stuxnet-style-attacks usage, preview these first:

SKILL.md for the workflow and decision points
references/api-reference.md for protocol and IOC cues
scripts/agent.py for how the detection logic is operationalized

This repo is compact, so those files tell you almost everything you need to know about how the skill reasons and what evidence it expects.

Use it in a threat-hunting workflow

A good workflow is: identify the OT asset and protocol, look for write-capable operations, check for PLC download or stop/start activity, then correlate with host compromise indicators and process anomalies. The detecting-stuxnet-style-attacks guide is most useful when you ask the model to map observations to a chain, not just to list indicators. For best results, include what should have happened, what actually happened, and what baseline you trust.

detecting-stuxnet-style-attacks skill FAQ

Is this only for Stuxnet itself?

No. It is for Stuxnet-style behaviors: covert PLC manipulation, staged IT-to-OT movement, and operator deception. The skill is useful when the tradecraft resembles Stuxnet even if the malware family is different.

Can I use it for basic OT alerting?

Usually not. If you only need generic OT IDS or SCADA intrusion detection, this is probably too specialized. The skill is strongest when you need deeper detecting-stuxnet-style-attacks for Threat Hunting and process-integrity validation.

Do I need malware samples to use it?

No. The skill is designed around telemetry and control-system evidence. Use it with PCAPs, logs, host artifacts, PLC change history, and process data. Malware reverse engineering is a different problem.

Is it beginner-friendly?

It is beginner-usable if you have a clear case and can supply structured evidence. It is less helpful for users who do not know the target protocol, asset type, or what “normal” process behavior looks like.

How to Improve detecting-stuxnet-style-attacks skill

Provide evidence in a structured bundle

The skill performs better when you give it grouped inputs: time window, affected asset, protocol, telemetry type, and suspected outcome. For example: “10:15–10:40 UTC, Siemens PLC, S7comm and Windows logs, unexpected block download, operator HMI still showing normal values.” That is more useful than a raw dump with no context.

Ask for a chain, not a single indicator

The biggest quality gain comes from asking the model to connect events into an attack path: initial access, engineering workstation compromise, PLC modification, concealment, and process impact. That matches the repository’s focus and avoids shallow IOC-only output.

Watch for common failure modes

Results weaken when you omit the baseline, mix IT and OT logs without timestamps, or ask for certainty from incomplete evidence. If the first answer is too generic, add protocol-specific details from references/api-reference.md and ask the model to distinguish benign maintenance from malicious writes, downloads, or PLC stop/start actions.

Iterate with targeted follow-ups

Use the first pass to identify suspicious assets and protocols, then ask a second question focused on one junction in the chain. Good follow-ups are: “Which events suggest PLC logic tampering?” or “Which artifacts support spoofed sensor readings versus a normal process upset?” That kind of narrowing usually improves detecting-stuxnet-style-attacks usage more than asking for a broader summary.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-process-hollowing-technique

by mukul975

detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.

Threat Hunting

Favorites 0GitHub 0

detecting-rdp-brute-force-attacks

by mukul975

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

Security Audit

Favorites 0GitHub 6.2k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

detecting-shadow-it-cloud-usage

by mukul975

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

Security Audit

Favorites 0GitHub 6.2k

detecting-service-account-abuse

by mukul975

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

Threat Hunting

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k