Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. [1]
| ID | Name | Description |
|---|---|---|
| C0028 | 2015 Ukraine Electric Power Attack |
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered operational assets once on the OT network. [2] [3] |
| S0093 | Backdoor.Oldrea |
The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. [4] |
| S1045 | INCONTROLLER |
INCONTROLLER can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.[5][6] INCONTROLLER can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.[7][6] INCONTROLLER has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.[6] |
| S0604 | Industroyer |
The Industroyer IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.[8] Industroyer contains an OPC DA module that enumerates all OPC servers using the |
| S1006 | PLC-Blaster |
PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. [9] |
| S1009 | Triton |
Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. [10] |
| ID | Mitigation | Description |
|---|---|---|
| M0814 | Static Network Configuration |
ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [11] [12] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [13], BACnet [14], and Ethernet/IP. [15] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0022 | File | File Access |
Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. |
| DS0029 | Network Traffic | Network Traffic Content |
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols. |
| Network Traffic Flow |
Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery. |
||
| DS0009 | Process | Process Creation |
Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.[16] Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data. |