Discovery, Tactic TA0007 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Discovery, Tactic TA0007 - Enterprise | MITRE ATT&CK®</title>  <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body>  <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header>  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent">  <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical">  <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">TACTICS</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/tactics/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Reconnaissance"> <a href="/versions/v9/tactics/TA0043/"> Reconnaissance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Resource Development"> <a href="/versions/v9/tactics/TA0042/"> Resource Development </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Initial Access"> <a href="/versions/v9/tactics/TA0001/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Execution"> <a href="/versions/v9/tactics/TA0002/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Persistence"> <a href="/versions/v9/tactics/TA0003/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Privilege Escalation"> <a href="/versions/v9/tactics/TA0004/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Defense Evasion"> <a href="/versions/v9/tactics/TA0005/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Credential Access"> <a href="/versions/v9/tactics/TA0006/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-Discovery"> <a href="/versions/v9/tactics/TA0007/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Lateral Movement"> <a href="/versions/v9/tactics/TA0008/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Collection"> <a href="/versions/v9/tactics/TA0009/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Command and Control"> <a href="/versions/v9/tactics/TA0011/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Exfiltration"> <a href="/versions/v9/tactics/TA0010/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Impact"> <a href="/versions/v9/tactics/TA0040/"> Impact </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/tactics/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-Initial Access"> <a href="/versions/v9/tactics/TA0027/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Execution"> <a href="/versions/v9/tactics/TA0041/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Persistence"> <a href="/versions/v9/tactics/TA0028/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Privilege Escalation"> <a href="/versions/v9/tactics/TA0029/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Defense Evasion"> <a href="/versions/v9/tactics/TA0030/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Credential Access"> <a href="/versions/v9/tactics/TA0031/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Discovery"> <a href="/versions/v9/tactics/TA0032/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Lateral Movement"> <a href="/versions/v9/tactics/TA0033/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Collection"> <a href="/versions/v9/tactics/TA0035/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Command and Control"> <a href="/versions/v9/tactics/TA0037/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Exfiltration"> <a href="/versions/v9/tactics/TA0036/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Impact"> <a href="/versions/v9/tactics/TA0034/"> Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Network Effects"> <a href="/versions/v9/tactics/TA0038/"> Network Effects </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Remote Service Effects"> <a href="/versions/v9/tactics/TA0039/"> Remote Service Effects </a> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/enterprise">Tactics</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Discovery</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Discovery </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to figure out your environment.</p><p>Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what鈥檚 around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0007</div> <div class="card-data"><span class="h5 card-title">Created: </span>17 October 2018</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>19 July 2019</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0007" href="/versions/v9/tactics/TA0007/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0007" href="/tactics/TA0007/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 27</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1087"> T1087 </a> </td> <td> <a href="/versions/v9/techniques/T1087"> Account Discovery </a> </td> <td> Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1087/001"> Local Account </a> </td> <td> Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1087/002"> Domain Account </a> </td> <td> Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1087/003"> Email Account </a> </td> <td> Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1087/004"> .004 </a> </td> <td> <a href="/versions/v9/techniques/T1087/004"> Cloud Account </a> </td> <td> Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1010"> T1010 </a> </td> <td> <a href="/versions/v9/techniques/T1010"> Application Window Discovery </a> </td> <td> Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1217"> T1217 </a> </td> <td> <a href="/versions/v9/techniques/T1217"> Browser Bookmark Discovery </a> </td> <td> Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1580"> T1580 </a> </td> <td> <a href="/versions/v9/techniques/T1580"> Cloud Infrastructure Discovery </a> </td> <td> An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1538"> T1538 </a> </td> <td> <a href="/versions/v9/techniques/T1538"> Cloud Service Dashboard </a> </td> <td> An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1526"> T1526 </a> </td> <td> <a href="/versions/v9/techniques/T1526"> Cloud Service Discovery </a> </td> <td> An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1613"> T1613 </a> </td> <td> <a href="/versions/v9/techniques/T1613"> Container and Resource Discovery </a> </td> <td> Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1482"> T1482 </a> </td> <td> <a href="/versions/v9/techniques/T1482"> Domain Trust Discovery </a> </td> <td> Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct <a href="/versions/v9/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v9/techniques/T1550/003">Pass the Ticket</a>, and <a href="/versions/v9/techniques/T1558/003">Kerberoasting</a>. Domain trusts can be enumerated using the <code>DSEnumerateDomainTrusts()</code> Win32 API call, .NET methods, and LDAP. The Windows utility <a href="/versions/v9/software/S0359">Nltest</a> is known to be used by adversaries to enumerate domain trusts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1083"> T1083 </a> </td> <td> <a href="/versions/v9/techniques/T1083"> File and Directory Discovery </a> </td> <td> Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1046"> T1046 </a> </td> <td> <a href="/versions/v9/techniques/T1046"> Network Service Scanning </a> </td> <td> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1135"> T1135 </a> </td> <td> <a href="/versions/v9/techniques/T1135"> Network Share Discovery </a> </td> <td> Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1040"> T1040 </a> </td> <td> <a href="/versions/v9/techniques/T1040"> Network Sniffing </a> </td> <td> Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1201"> T1201 </a> </td> <td> <a href="/versions/v9/techniques/T1201"> Password Policy Discovery </a> </td> <td> Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through <a href="/versions/v9/techniques/T1110">Brute Force</a>. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1120"> T1120 </a> </td> <td> <a href="/versions/v9/techniques/T1120"> Peripheral Device Discovery </a> </td> <td> Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1069"> T1069 </a> </td> <td> <a href="/versions/v9/techniques/T1069"> Permission Groups Discovery </a> </td> <td> Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1069/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1069/001"> Local Groups </a> </td> <td> Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1069/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1069/002"> Domain Groups </a> </td> <td> Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1069/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1069/003"> Cloud Groups </a> </td> <td> Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1057"> T1057 </a> </td> <td> <a href="/versions/v9/techniques/T1057"> Process Discovery </a> </td> <td> Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from <a href="/versions/v9/techniques/T1057">Process Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1012"> T1012 </a> </td> <td> <a href="/versions/v9/techniques/T1012"> Query Registry </a> </td> <td> Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1018"> T1018 </a> </td> <td> <a href="/versions/v9/techniques/T1018"> Remote System Discovery </a> </td> <td> Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as <a href="/versions/v9/software/S0097">Ping</a> or <code>net view</code> using <a href="/versions/v9/software/S0039">Net</a>. Adversaries may also use local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1518"> T1518 </a> </td> <td> <a href="/versions/v9/techniques/T1518"> Software Discovery </a> </td> <td> Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from <a href="/versions/v9/techniques/T1518">Software Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1518/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1518/001"> Security Software Discovery </a> </td> <td> Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1082"> T1082 </a> </td> <td> <a href="/versions/v9/techniques/T1082"> System Information Discovery </a> </td> <td> An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from <a href="/versions/v9/techniques/T1082">System Information Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1614"> T1614 </a> </td> <td> <a href="/versions/v9/techniques/T1614"> System Location Discovery </a> </td> <td> Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from <a href="/versions/v9/techniques/T1614">System Location Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1016"> T1016 </a> </td> <td> <a href="/versions/v9/techniques/T1016"> System Network Configuration Discovery </a> </td> <td> Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include <a href="/versions/v9/software/S0099">Arp</a>, <a href="/versions/v9/software/S0100">ipconfig</a>/<a href="/versions/v9/software/S0101">ifconfig</a>, <a href="/versions/v9/software/S0102">nbtstat</a>, and <a href="/versions/v9/software/S0103">route</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1016/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1016/001"> Internet Connection Discovery </a> </td> <td> Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using <a href="/versions/v9/software/S0097">Ping</a>, <code>tracert</code>, and GET requests to websites. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1049"> T1049 </a> </td> <td> <a href="/versions/v9/techniques/T1049"> System Network Connections Discovery </a> </td> <td> Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1033"> T1033 </a> </td> <td> <a href="/versions/v9/techniques/T1033"> System Owner/User Discovery </a> </td> <td> Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1007"> T1007 </a> </td> <td> <a href="/versions/v9/techniques/T1007"> System Service Discovery </a> </td> <td> Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using <a href="/versions/v9/software/S0057">Tasklist</a>, and "net start" using <a href="/versions/v9/software/S0039">Net</a>, but adversaries may also use other tools as well. Adversaries may use the information from <a href="/versions/v9/techniques/T1007">System Service Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1124"> T1124 </a> </td> <td> <a href="/versions/v9/techniques/T1124"> System Time Discovery </a> </td> <td> An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1497"> T1497 </a> </td> <td> <a href="/versions/v9/techniques/T1497"> Virtualization/Sandbox Evasion </a> </td> <td> Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/001"> .001 </a> </td> <td> <a href="/versions/v9/techniques/T1497/001"> System Checks </a> </td> <td> Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/002"> .002 </a> </td> <td> <a href="/versions/v9/techniques/T1497/002"> User Activity Based Checks </a> </td> <td> Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/versions/v9/techniques/T1497/003"> .003 </a> </td> <td> <a href="/versions/v9/techniques/T1497/003"> Time Based Evasion </a> </td> <td> Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div>  <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100">  <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div>  <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?4260"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script>  <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>

CINXE.COM

Discovery, Tactic TA0007 - Enterprise | MITRE ATT&CK®