DFIR Global

By

Campbell McKenzie

·

MITRE ATT&CK Discovery (TA0007)

The MITRE ATT&CK Discovery (TA0007) tactic focuses on how adversaries gather information about a system or network environment after gaining access. The goal is to map the environment, identify assets, and locate vulnerabilities for further exploitation. Techniques include system information discovery, network mapping, account enumeration, and software or security tool identification. These actions provide valuable…

The MITRE ATT&CK Discovery (TA0007) tactic focuses on how adversaries gather information about a system or network environment after gaining access. The goal is to map the environment, identify assets, and locate vulnerabilities for further exploitation. Techniques include system information discovery, network mapping, account enumeration, and software or security tool identification. These actions provide valuable insight into how to navigate and exploit the target environment effectively.

For more details, visit the MITRE ATT&CK Discovery page.

Key Techniques:

  1. Account Discovery: Attackers gather information about existing user accounts on the system or network, often to identify accounts with higher privileges for lateral movement or privilege escalation. This could involve listing user accounts, domain administrators, or service accounts.
  2. System Information Discovery: Attackers retrieve detailed information about the target system, including the operating system version, hardware specifications, or installed software. This helps them understand the capabilities of the target and potentially identify software vulnerabilities that can be exploited.
  3. Network Discovery: Attackers map out the network topology to identify critical systems, routers, firewalls, and connected devices. Techniques like ARP scanning, ping sweeps, and DNS query enumeration help gather this information, providing the attacker with a clear picture of how to navigate the environment.
  4. File and Directory Discovery: This involves searching for critical files, directories, or shared folders that may contain sensitive data or further tools for exploitation. Attackers may use system commands to list directory contents and permissions.
  5. Process Discovery: Adversaries may examine running processes on a system to identify security tools, antivirus programs, or other monitoring mechanisms that they need to avoid or disable.
  6. Security Software Discovery: Attackers look for installed security products, such as antivirus, endpoint detection systems (EDR), or firewalls, so they can find ways to evade detection. By understanding the tools in place, they can tailor their actions to avoid triggering alerts.
  7. Permission Groups Discovery: Adversaries investigate the permission groups within a system to find roles with elevated privileges. By identifying administrative or privileged roles, attackers can attempt to escalate their privileges to perform higher-level actions.

Mitigation Strategies:

  1. Network Segmentation: Segment networks to limit the attacker’s ability to move laterally across systems and discover sensitive assets. Implement strict access controls between network segments.
  2. Endpoint Detection and Response (EDR): Use advanced security tools that monitor system behavior for signs of discovery activities. Suspicious process or system commands can be flagged and investigated.
  3. Access Controls: Limit the use of administrative privileges to only necessary personnel and enforce the principle of least privilege. Regularly audit access controls to ensure that they are properly applied.
  4. Obfuscation of System Information: Hide or minimize exposure of system information to adversaries, making it harder for attackers to gather critical details about the environment.

These strategies help prevent attackers from successfully gathering the information they need for further attacks.

For more details, visit the MITRE ATT&CK Discovery page.

Tags: