Remote System Discovery
Jump to navigation
Jump to search
| Remote System Discovery | |
|---|---|
| Technique | |
| ID | T0846 |
| Tactic | Discovery |
| Data Sources | Process monitoring, Process use of network, Process command-line parameters, Network protocol analysis |
| Asset | Control Server, Data Historian, Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface |
Description
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.1
Procedure Examples
- The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.2
- The Industroyer IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.3
- Industroyer contains an OPC DA module that enumerates all OPC servers using the
ICatInformation::EnumClassesOfCategoriesmethod withCATID_OPCDAServer20category identifier andIOPCServer::GetStatusto identify the ones running. - PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.4
- Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.5
Mitigations
- Static Network Configuration - ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.67 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 8, BACnet 9, and Ethernet/IP.10
- Disable or Remove Feature or Program - Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
- Network Intrusion Prevention - Use network intrusion detection/prevention systems to detect and prevent remote service scans.
- Network Segmentation - Ensure proper network segmentation is followed to protect critical servers and devices.
References
- ^ Enterprise ATT&CK. (2018, January 11). Remote System Discovery. Retrieved May 17, 2018.
- ^ Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell. (2015, December 08). A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin. Retrieved April 1, 2019.
- ^ Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- ^ Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- ^ DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.
- ^ D. Parsons and D. Wylie. (2019, September). Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged – Discover and Defend Your Assets. Retrieved September 25, 2020.
- ^ Colin Gray. (n.d.). How SDN Can Improve Cybersecurity in OT Networks. Retrieved September 25, 2020.
- ^ Josh Rinaldi. (2016, April). Still a Thrill: OPC UA Device Discovery. Retrieved September 25, 2020.
- ^ Aditya K Sood. (2019, July). Discovering and fingerprinting BACnet devices. Retrieved September 25, 2020.
- ^ Langner. (2018, November). Why Ethernet/IP changes the OT asset discovery game. Retrieved September 25, 2020.
