Discovery (34 techniques)
Learning about the environment after gaining access — accounts, services, network topology.
The Discovery tactic groups MITRE ATT&CK techniques used by adversaries to learning about the environment after gaining access — accounts, services, network topology. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1007 — System Service Discovery Linux, macOS, Windows
- T1010 — Application Window Discovery Linux, macOS, Windows
- T1012 — Query Registry Windows
- T1016 — System Network Configuration Discovery ESXi, Linux, macOS, Network Devices, Windows
- T1018 — Remote System Discovery ESXi, Linux, macOS, Network Devices, Windows
- T1033 — System Owner/User Discovery Linux, macOS, Network Devices, Windows
- T1040 — Network Sniffing IaaS, Linux, macOS, Network Devices, Windows
- T1046 — Network Service Discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
- T1049 — System Network Connections Discovery ESXi, IaaS, Linux, macOS, Network Devices, Windows
- T1057 — Process Discovery ESXi, Linux, macOS, Network Devices, Windows
- T1069 — Permission Groups Discovery Containers, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows
- T1082 — System Information Discovery ESXi, IaaS, Linux, macOS, Network Devices, Windows
- T1083 — File and Directory Discovery ESXi, Linux, macOS, Network Devices, Windows
- T1087 — Account Discovery ESXi, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows
- T1120 — Peripheral Device Discovery Linux, macOS, Windows
- T1124 — System Time Discovery ESXi, Linux, macOS, Network Devices, Windows
- T1135 — Network Share Discovery Linux, macOS, Windows
- T1201 — Password Policy Discovery Windows, Linux, macOS, IaaS, Network Devices, Identity Provider, SaaS, Office Suite
- T1217 — Browser Information Discovery Linux, macOS, Windows
- T1482 — Domain Trust Discovery Windows
- T1497 — Virtualization/Sandbox Evasion Linux, macOS, Windows
- T1518 — Software Discovery ESXi, IaaS, Linux, macOS, Windows
- T1526 — Cloud Service Discovery IaaS, Identity Provider, Office Suite, SaaS
- T1538 — Cloud Service Dashboard IaaS, SaaS, Office Suite, Identity Provider
- T1580 — Cloud Infrastructure Discovery IaaS
- T1613 — Container and Resource Discovery Containers
- T1614 — System Location Discovery IaaS, Linux, macOS, Windows
- T1615 — Group Policy Discovery Windows
- T1619 — Cloud Storage Object Discovery IaaS
- T1622 — Debugger Evasion Linux, macOS, Windows
- T1652 — Device Driver Discovery Linux, macOS, Windows
- T1654 — Log Enumeration ESXi, IaaS, Linux, macOS, Windows
- T1673 — Virtual Machine Discovery ESXi, Linux, macOS, Windows
- T1680 — Local Storage Discovery ESXi, IaaS, Linux, macOS, Windows
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses