T0846: Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.[1]
Analyst context for executives and security teams
Remote System Discovery in ICS is the behavior of identifying other reachable systems by IP address, hostname, or logical identifier. For leaders, the risk is not the lookup itself; it is that an intruder can use it to build a usable map of HMIs, PLCs, RTUs, historians, control servers, gateways, jump hosts, VPN servers, switches, firewalls, and other operational assets before moving laterally or choosing follow-on discovery paths. In OT environments, that mapping can materially affect incident containment decisions and operational resilience because defenders need to know whether discovery touched engineering workstations, safety-related controllers, or boundary systems.
Executive priority
Treat this as a coverage question for OT visibility and segmentation. Ask whether the organization can prove what systems are expected to discover or enumerate peers, whether static network configuration is feasible for critical segments, and whether SOC/IR teams can distinguish normal engineering, vendor, or management activity from unusual enumeration. This technique is relevant to board-level resilience discussions because ATT&CK relates it to notable ICS campaigns and software, but local exposure depends on the organization’s asset inventory, network architecture, and telemetry.
Technical view
SOC and IR teams should validate visibility for host and network-based evidence of systems attempting to list or identify peers across ICS segments. The parent technique has no ATT&CK platform or tactic specified and no official detection text, so engineering should use the related detection strategy DET0739 as a starting point and enrich it with local baselines. Relationship context points to subtechniques for port scan, broadcast discovery, and multicast discovery, so detections should cover unicast enumeration as well as broadcast or multicast request/response patterns. Prioritize monitoring around targeted ICS assets including workstations, HMIs, PLCs, RTUs, IEDs, historians, control servers, application servers, data gateways, safety controllers, VPN servers, jump hosts, switches, firewalls, DCS controllers, and PACs.
Likely telemetry
- Network flow records showing one source contacting many destination IPs or logical peers in a short period
- DNS, hostname, and name-resolution logs where available
- ARP, DHCP, broadcast, and multicast discovery traffic where collected
- Firewall, switch, and gateway logs for cross-segment enumeration attempts
- Endpoint process and command telemetry on Windows/Linux workstations, servers, jump hosts, and VPN-related systems where applicable to the targeted assets
Detection direction
- Validate whether DET0739 or equivalent local analytics are deployed for OT network segments, not only enterprise IT networks.
- Tune detections against approved engineering, maintenance, vendor support, asset inventory, and monitoring activity to reduce false positives.
- Look for discovery from unusual sources, especially jump hosts, VPN servers, workstations, application servers, data gateways, or systems that do not normally enumerate ICS peers.
- Include broadcast and multicast discovery patterns, because related subtechniques explicitly cover those methods and they may look different from simple host-to-host scanning.
- Correlate discovery with later lateral movement or additional discovery events, since the official description states the listing may support subsequent Lateral Movement or Discovery techniques.
Mitigation priorities
- Start with an accurate ICS asset inventory and approved communication matrix so discovery activity can be judged against expected behavior.
- Use static network configuration where possible, consistent with mitigation M0814, while recognizing ATT&CK notes that this may not always be usable because of device limitations or network configuration challenges.
- Restrict and monitor dynamic discovery/addressing mechanisms such as ARP, DHCP, and DNS where they are not required or where manipulation could affect forwarding or enable adversary-in-the-middle activity.
- Segment ICS networks and enforce boundary controls so enumeration from corporate, remote access, or less trusted zones cannot freely map critical control assets.
- Prioritize monitoring and access control around jump hosts, VPN servers, data gateways, firewalls, and control servers because they can provide visibility into or pathways across multiple ICS segments.
Analyst notes and limits
ATT&CK relationships show this technique targeting a broad set of ICS assets and being used by the 2015 Ukraine Electric Power Attack, 2025 Poland Wiper Attacks, and Backdoor.Oldrea. That context supports treating remote discovery as an important precursor behavior in ICS intrusions, but it does not by itself establish current activity in any specific environment. The most useful defensive question is whether discovery against critical OT assets would be visible, baselined, and actionable during an incident.
The supplied ATT&CK object does not specify parent tactics, parent platforms, or official detection guidance. Some related subtechnique descriptions are truncated in the supplied data. This take therefore avoids vendor-specific detection logic and requires local asset inventory, network architecture, and approved operational workflows to determine what is suspicious.
Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan subtechnique of this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery subtechnique of this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery subtechnique of this object. |
Groups, software, and campaigns
S0604: Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
S0093: Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]
S1045: INCONTROLLER
INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 27019b132585… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Enterprise ATT&CK January 2018
Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17
Open source URL -
[2]
mitre-attack T0846Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.