Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. [1]

ID: T0846
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: Control Server, Data Historian, Field Controller/RTU/PLC/IED, Human-Machine Interface, Safety Instrumented System/Protection Relay
Version: 1.0
Created: 21 May 2020
Last Modified: 06 May 2022

Procedure Examples

ID Name Description
S0093 Backdoor.Oldrea

The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. [2]

S0604 Industroyer

The Industroyer IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102. [3]

S1006 PLC-Blaster

PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. [4]

S1009 Triton

Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. [5]


ID Mitigation Description
M0814 Static Network Configuration

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [6] [7] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [8], BACnet [9], and Ethernet/IP. [10]


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation