Skip to content

Discovery

What is "Discovery" ?

Discovery refers to a category that encompasses techniques and tactics used by attackers to gain knowledge about the system, network, and its components that they have infiltrated. This knowledge helps attackers to understand the environment, plan further actions, maintain access, and potentially escalate their privileges.

How is "Discovery" Executed ?

  1. System Information Discovery: Attackers use tools like systeminfo, uname, or scripts to gather information about operating system versions, installed software, system configurations, and runtime information.

  2. Network Service Scanning: Tools such as Nmap or Netstat are employed to scan for open ports and detect running services on those ports. This helps in identifying potential points of entry or valuable services like databases or file servers.

  3. Account Discovery: Techniques involve enumerating user accounts or groups using commands like net user, id, or accessing files like /etc/passwd on Unix/Linux systems. This can also include querying Active Directory services using tools like PowerView.

  4. File and Directory Discovery: Attackers may use commands (ls, dir) or scripts to find files of interest based on their names, extensions, or contents which might contain sensitive information such as credentials or configuration details.

  5. Network Topology Mapping: Tools such as traceroute or specialized software like LANsurveyor are used to map out network devices and their connections, providing a visual layout of how systems are interconnected.

  6. Security Software Discovery: Identifying installed security tools (antivirus, firewalls) using processes list (ps, tasklist) or filesystem checks can help attackers adjust their tactics to avoid detection.

Where is "Discovery" Applied ?

  • Internal Networks: Once access is gained, discovery techniques are applied internally to escalate privileges and move laterally.
  • Cloud Environments: In cloud setups (AWS, Azure), discovery might involve querying management services (like AWS EC2) for information on running instances and security configurations.
  • Endpoints: On individual workstations or servers where gaining context about the local environment is crucial for further exploitation.

Why is "Discovery" Important ?

  • Contextual Awareness: Understanding the environment allows attackers to make informed decisions about which techniques will be most effective for remaining undetected while achieving their goals.
  • Target Identification: Helps in pinpointing valuable assets within a network which could be data repositories, administrative machines, or backup servers.
  • Operational Efficiency: By knowing more about the network layout and deployed defenses, attackers can optimize their attack paths and resource usage to maximize impact while minimizing risks.
  • Adaptive Tactics: Discovery enables adaptive strategies where attacks can be modified based on real-time findings from the target environment thus increasing chances of success.

In summary, "Discovery" in the context of MITRE ATT&CK framework represents a foundational set of tactics that facilitate deeper penetration into a target environment by providing crucial intelligence required for effective attack progression.