Remote System Discovery

From attackics
Revision as of 12:44, 13 April 2021 by Oalexander (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Remote System Discovery
Technique
ID T0846
Tactic Discovery
Data Sources Process monitoring, Process use of network, Process command-line parameters, Network protocol analysis
Asset Control Server, Data Historian, Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface

Description

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.1


Procedure Examples

  • The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.2
  • The Industroyer IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.3
  • Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running.
  • PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.4
  • Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.5

Mitigations

  • Static Network Configuration - ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.67 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 8, BACnet 9, and Ethernet/IP.10
  • Network Segmentation - Ensure proper network segmentation is followed to protect critical servers and devices.