Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.
Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.[1] Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | Network Traffic | None |
| Network Traffic Content (DC0085) | Network Traffic | None |
| File Access (DC0055) | File | None |
| Process Creation (DC0032) | Process | None |