Remote System Discovery

From attackics
Jump to navigation Jump to search
Remote System Discovery
Technique
ID T0846
Tactic Discovery
Data Sources Process monitoring, Process use of network, Process command-line parameters, Network protocol analysis
Asset Control Server, Data Historian, Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface

Description

Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.


Procedure Examples

  • The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.2
  • The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically.3
  • PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.4
  • Stuxnet scanned the network to identify the Siemens PLCs that it was targeting.5
  • Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.6

Mitigations

  • Static Network Configuration - ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.78 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 9, BACnet 10, and Ethernet/IP.11