1. Home
  2. Techniques
  3. ICS
  4. Remote System Discovery

Remote System Discovery

ID Name
T0846.001 Port Scan
T0846.002 Broadcast Discovery
T0846.003 Multicast Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.[1]

ID: T0846
Sub-techniques:  T0846.001, T0846.002, T0846.003
Tactic: Discovery
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 12 May 2026

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered operational assets once on the OT network. [2] [3]
C0063 2025 Poland Wiper Attacks

During the 2025 Poland Wiper Attacks, the adversaries used nslookup and ping to conduct remote system discovery activities.[4]
S0093 Backdoor.Oldrea

The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. [5]
S1045 INCONTROLLER

INCONTROLLER can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.[6][7]
S0604 Industroyer

Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running.

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0017 Distributed Control System (DCS) Controller
A0016 Firewall
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0018 Programmable Automation Controller (PAC)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller
A0015 Switch
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0814 Static Network Configuration

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.[8][9] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery[10], BACnet[11], and Ethernet/IP.[12]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0739 Detection of Remote System Discovery AN1872

Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.[13] Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.
Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.

References

  1. Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17
  2. Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.
  3. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  4. CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
  5. Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01
  6. DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.
  7. Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.
  1. D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25
  2. Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25
  3. Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25
  4. Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25
  5. Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25
  6. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.