Remote System Discovery

From attackics
Jump to navigation Jump to search
Remote System Discovery
ID T846
Tactic Discovery
Data Sources Process monitoring, Process use of network, Process command-line parameters, Network protocol analysis
Asset Control Server, Data Historian, Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface


Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.

Procedure Examples

  • The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.2
  • The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically.3
  • PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.4
  • Stuxnet scanned the network to identify the Siemens PLCs that it was targeting.5
  • Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.6


  • Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer.7 Proper segmentation helps mitigate the risk of broadcast storms resulting from port scans. Assigning each automation cell to a single VLAN limits unnecessary traffic flooding.
  • Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.7
  • Secure and restrict authorization to the control room and the physical environment. ICS devices should stay in their designated areas.7
  • Implement VPNs to further restrict access in and out of control system computers and controllers, which help remove unauthorized, non-essential traffic from the intermediary network.7
  • Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.7
  • Implement heuristics to detect monitoring and invasive probing activity on the network. Filter and limit communications to and from devices. Ensure devices are patched and up-to-date.7