T0846.003: Multicast Discovery
Essential information
- MITRE technique ID
T0846.003- Confidence
- 75/100
- Revoked
- No
- Published
- 20/04/2026 22:54
- Modified
- 04/05/2026 16:52
- Author / Source
- The MITRE Corporation
Description
Adversaries may perform multicast discovery requests which is when one system or device sends messages to all systems and devices in a pre-defined group on a network (or subnet) and then waits for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Multicast discovery tends to be stealthier than broadcast discovery because every system or device on the network (or subnet) is not being messaged.
One common OT protocol that has a multicast discovery mechanism is the Process Field Network (PROFINET) Discovery and Configuration Protocol (DCP) with its Identify All requests.(Citation: Cisco Active Discovery)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-ics-attack-v19 | discovery |
| mitre-ics-attack | discovery |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.