Discovery (34 techniques)
Learning about the environment after gaining access — accounts, services, network topology.
The Discovery tactic groups MITRE ATT&CK techniques used by adversaries tolearning about the environment after gaining access — accounts, services, network topology. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1007 — System Service DiscoveryLinux, macOS, Windows
- T1010 — Application Window DiscoveryLinux, macOS, Windows
- T1012 — Query RegistryWindows
- T1016 — System Network Configuration DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1018 — Remote System DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1033 — System Owner/User DiscoveryLinux, macOS, Network Devices, Windows
- T1040 — Network SniffingIaaS, Linux, macOS, Network Devices, Windows
- T1046 — Network Service DiscoveryContainers, IaaS, Linux, macOS, Network Devices, Windows
- T1049 — System Network Connections DiscoveryESXi, IaaS, Linux, macOS, Network Devices, Windows
- T1057 — Process DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1069 — Permission Groups DiscoveryContainers, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows
- T1082 — System Information DiscoveryESXi, IaaS, Linux, macOS, Network Devices, Windows
- T1083 — File and Directory DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1087 — Account DiscoveryESXi, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows
- T1120 — Peripheral Device DiscoveryLinux, macOS, Windows
- T1124 — System Time DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1135 — Network Share DiscoveryLinux, macOS, Windows
- T1201 — Password Policy DiscoveryWindows, Linux, macOS, IaaS, Network Devices, Identity Provider, SaaS, Office Suite
- T1217 — Browser Information DiscoveryLinux, macOS, Windows
- T1482 — Domain Trust DiscoveryWindows
- T1497 — Virtualization/Sandbox EvasionLinux, macOS, Windows
- T1518 — Software DiscoveryESXi, IaaS, Linux, macOS, Windows
- T1526 — Cloud Service DiscoveryIaaS, Identity Provider, Office Suite, SaaS
- T1538 — Cloud Service DashboardIaaS, SaaS, Office Suite, Identity Provider
- T1580 — Cloud Infrastructure DiscoveryIaaS
- T1613 — Container and Resource DiscoveryContainers
- T1614 — System Location DiscoveryIaaS, Linux, macOS, Windows
- T1615 — Group Policy DiscoveryWindows
- T1619 — Cloud Storage Object DiscoveryIaaS
- T1622 — Debugger EvasionLinux, macOS, Windows
- T1652 — Device Driver DiscoveryLinux, macOS, Windows
- T1654 — Log EnumerationESXi, IaaS, Linux, macOS, Windows
- T1673 — Virtual Machine DiscoveryESXi, Linux, macOS, Windows
- T1680 — Local Storage DiscoveryESXi, IaaS, Linux, macOS, Windows
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses