T0846 Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. 1
Item | Value |
---|---|
ID | T0846 |
Sub-techniques | |
Tactics | TA0102 |
Platforms | Control Server, Data Historian, Field Controller/RTU/PLC/IED, Human-Machine Interface, Safety Instrumented System/Protection Relay |
Version | 1.1 |
Created | 21 May 2020 |
Last Modified | 09 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0093 | Backdoor.Oldrea | The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. 8 |
S1045 | INCONTROLLER | INCONTROLLER can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.1213 |
S0604 | Industroyer | The Industroyer IEC 61850 payload component has the ability to discover relevant devices in the infected host’s network subnet by attempting to connect on port 102.10 |
S1006 | PLC-Blaster | PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. 7 |
S1009 | Triton | Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. 9 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M0814 | Static Network Configuration | ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. 2 3 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 4, BACnet 5, and Ethernet/IP. 6 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Access |
DS0029 | Network Traffic | Network Traffic Content |
DS0009 | Process | Process Creation |
References
-
Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ↩
-
D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ↩
-
Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ↩
-
Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ↩
-
Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ↩
-
Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ↩
-
Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ↩
-
Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 ↩
-
DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022. ↩
-
DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022. ↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩
-
Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. ↩