The Mitre Att&ck Matrix has set 30 Techniques in the Discovery category. Discovery is Mitre Att&ck Matrix’s second most complex category. These are generally steps taken to enumerate the target the threat actor is preparing to attack.
Account Discovery is when the threat actor enumerates a system/network for accounts that could be a target.
Application Window Discovery is when the threat actor attempts to discover which application is running and which is active. When a threat actor knows what application is actively in use, the threat actor can determine if it is worth using a keylogger, or they could pick an application that is not active to attempt to prevent the detection of a malfunctioning app.
Browser Bookmark Discovery is when a threat actor discovers all saved bookmarks. By determining what services an end user uses, the threat actor will have an easier time launching a successful phishing campaign.
Cloud Infrastructure Discovery is when a threat actor has a Cloud Computing API access key and determines what systems it has access to.
Cloud Service Dashboard is when a threat actor has access to their target organization’s cloud dashboard and seeks out what sort of privileges the impacted user has.
Cloud Service Discovery is when a threat actor determines what cloud services are active on specific systems or throughout the organization.
Cloud Storage Object Discovery is when a threat actor enumerates the cloud storage infrastructure to see what files can be accessed.
Container and Resource Discovery is when a threat actor enumerates a system to see what containers are available on a system. Containers can be Docker, Kubernetes, or even FreeBSD jails.
Debugger Evasion in the discovery is when the threat actor utilizes techniques to discover if it is actively getting debugged. Once the malware has discovered the debugging activity, the threat actor or malware could engage in defense evasion activities.
Domain Trust Discovery is when a threat actor enumerates a system for domain trusts to determine options that would be available for lateral movement.
File and Directory Discovery is when a threat actor enumerates a system to discover the file structure and find interesting files worth exfiltrating.
Group Policy Discovery is when a threat actor enumerates a system for GPOs so that the threat actor can determine a weak point.
Network Service Discovery is when a threat actor enumerates a system to determine what network services currently is running.
Network Share Discovery is when a threat actor enumerates a system for network shares that eventually be accessed.
Network Sniffing is when a threat actor sniffs traffic to discover credentials or identify other systems that could become targets.
Password Policy Discovery is when a threat actor enumerates a system to discover a password policy. Effectively this makes brute forcing a password more efficient as they can determine how many guesses one can make in certain intervals and identify the minimum and maximum length a password can be.
Peripheral Device Discovery is when a threat actor enumerates a system to determine what kind of devices exist on a system.
Permission Groups Discovery is when a threat actor enumerates a system to determine what groups exist and their permissions.
Process Discovery is when a threat actor enumerates a system to see what software is running.
Query Registry is when a threat actor queries the Windows registry to see if specific settings are enabled or to find indicators that this system is already infected.
Remote System Discovery is when a threat actor scans a network for reachable systems. When Remote System Discover gets executed from a compromised system, you avoid firewalls.
Software Discovery is when a threat actor enumerates a system for installed software.
System Information Discovery is when a threat actor enumerates a system to determine its configuration, system name, etc.
System Location Discovery is when a threat actor determines the actual location of a system.
System Network Configuration Discovery is when a threat actor determines the network configuration.
System Network Connections Discovery is when a threat actor determines what IPs have an existing connection to the system.
System Owner/User Discovery is when a threat actor enumerates a system to determine the system owner and system users.
System Service Discovery is when a threat actor enumerates a system to determine what services are running.
System Time Discovery is when a threat actor enumerates a system to determine what time it currently is set for and what time zone the system is in.
Virtualization/Sandbox Evasion is when a threat actor or malware determines if they are in a virtualized/sandboxed environment.