9. Discovery
Discovery (TA0007)
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act.
Strategy
- Low and Slow: Running
nmapacross the whole subnet will set off alarms. - Native Tools: Use
net.exe,nltest.exe, and PowerShell instead of dropping binary scanners.
Section Contents
-
Account Discovery
Enumerating local and domain accounts to find targets.
-
Cloud Infrastructure Discovery
Enumerating cloud resources, permissions, and storage to map the environment.
-
Software Discovery
Enumerating installed applications and security tools.
-
System Network Configuration Discovery
Identifying network interfaces, routes, and connected neighbors.
