Discovery (34 techniques)
Learning about the environment after gaining access: accounts, services, network topology.
The Discovery tactic groups MITRE ATT&CK techniques used by adversaries tolearning about the environment after gaining access: accounts, services, network topology. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1007 - System Service DiscoveryLinux, macOS, Windows
- T1010 - Application Window DiscoveryLinux, macOS, Windows
- T1012 - Query RegistryWindows
- T1016 - System Network Configuration DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1018 - Remote System DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1033 - System Owner/User DiscoveryLinux, macOS, Network Devices, Windows
- T1040 - Network SniffingIaaS, Linux, macOS, Network Devices, Windows
- T1046 - Network Service DiscoveryContainers, IaaS, Linux, macOS, Network Devices, Windows
- T1049 - System Network Connections DiscoveryESXi, IaaS, Linux, macOS, Network Devices, Windows
- T1057 - Process DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1069 - Permission Groups DiscoveryContainers, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows
- T1082 - System Information DiscoveryESXi, IaaS, Linux, macOS, Network Devices, Windows
- T1083 - File and Directory DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1087 - Account DiscoveryESXi, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows
- T1120 - Peripheral Device DiscoveryLinux, macOS, Windows
- T1124 - System Time DiscoveryESXi, Linux, macOS, Network Devices, Windows
- T1135 - Network Share DiscoveryLinux, macOS, Windows
- T1201 - Password Policy DiscoveryWindows, Linux, macOS, IaaS, Network Devices, Identity Provider, SaaS, Office Suite
- T1217 - Browser Information DiscoveryLinux, macOS, Windows
- T1482 - Domain Trust DiscoveryWindows
- T1497 - Virtualization/Sandbox EvasionLinux, macOS, Windows
- T1518 - Software DiscoveryESXi, IaaS, Linux, macOS, Windows
- T1526 - Cloud Service DiscoveryIaaS, Identity Provider, Office Suite, SaaS
- T1538 - Cloud Service DashboardIaaS, SaaS, Office Suite, Identity Provider
- T1580 - Cloud Infrastructure DiscoveryIaaS
- T1613 - Container and Resource DiscoveryContainers
- T1614 - System Location DiscoveryIaaS, Linux, macOS, Windows
- T1615 - Group Policy DiscoveryWindows
- T1619 - Cloud Storage Object DiscoveryIaaS
- T1622 - Debugger EvasionLinux, macOS, Windows
- T1652 - Device Driver DiscoveryLinux, macOS, Windows
- T1654 - Log EnumerationESXi, IaaS, Linux, macOS, Windows
- T1673 - Virtual Machine DiscoveryESXi, Linux, macOS, Windows
- T1680 - Local Storage DiscoveryESXi, IaaS, Linux, macOS, Windows
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses