1. Home
  2. Techniques
  3. ICS
  4. Remote System Discovery
  5. Multicast Discovery

Remote System Discovery: Multicast Discovery

ID Name
T0846.001 Port Scan
T0846.002 Broadcast Discovery
T0846.003 Multicast Discovery

Adversaries may perform multicast discovery requests which is when one system or device sends messages to all systems and devices in a pre-defined group on a network (or subnet) and then waits for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Multicast discovery tends to be stealthier than broadcast discovery because every system or device on the network (or subnet) is not being messaged.

One common OT protocol that has a multicast discovery mechanism is the Process Field Network (PROFINET) Discovery and Configuration Protocol (DCP) with its Identify All requests.[1]

ID: T0846.003
Sub-technique of:  T0846
Tactic: Discovery
Version: 1.0
Created: 20 April 2026
Last Modified: 23 April 2026
Version Permalink

Procedure Examples

ID Name Description
S1045 INCONTROLLER

INCONTROLLER can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.[2][3]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0017 Distributed Control System (DCS) Controller
A0016 Firewall
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0018 Programmable Automation Controller (PAC)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0014 Routers
A0010 Safety Controller
A0015 Switch
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0930 Network Segmentation

Ensure proper network segmentation is followed to protect critical servers and devices.
M0814 Static Network Configuration

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.[4][5] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [6], BACnet[7], and Ethernet/IP.[8]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0909 Detection of Multicast Discovery AN2052

Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.

Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.

References

  1. Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.
  2. DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.
  3. Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.
  4. D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25
  1. Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25
  2. Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25
  3. Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25
  4. Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25