Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
Below is a list of all the Discovery techniques in enterprise:
|Account Discovery||Discovery||Adversaries may attempt to get a listing of local system or domain accounts.
Example commands that can acquire this information are
On Mac, groups can be enumerated through the
On Linux, local users can be enumerated through the use of the
|Application Window Discovery||Discovery||Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small AppleScript script.|
|Browser Bookmark Discovery||Discovery||Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials in Files associated with logins cached by a browser.Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.
|File and Directory Discovery||Discovery||Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Example utilities used to obtain this information are
Mac and LinuxIn Mac and Linux, this kind of discovery is accomplished with the
|Network Service Scanning||Discovery||Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.|
|Network Share Discovery||Discovery||Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Net can be used to query a remote system for available shared drives using the
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
MacOn Mac, locally mounted shares can be viewed with the
|Password Policy Discovery||Discovery||Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
|Peripheral Device Discovery||Discovery||Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.|
|Permission Groups Discovery||Discovery||Adversaries may attempt to find local system or domain-level groups and permissions settings.
Examples of commands that can list groups are
On Mac, this same thing can be accomplished with the
LinuxOn Linux, local groups can be enumerated with the
|Process Discovery||Discovery||Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
An example command that would obtain details on processes is "tasklist" using the Tasklist utility.
Mac and LinuxIn Mac and Linux, this is accomplished with the
|Query Registry||Discovery||Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.6 Some of the information may help adversaries to further their operation within a network.|
|Remote System Discovery||Discovery||Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Examples of tools and commands that acquire this information include "ping" or "net view" using Net.
Specific to Mac, the
LinuxUtilities such as "ping" and others can be used to gather information about remote systems.
|Security Software Discovery||Discovery||Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Example commands that can be used to obtain security software information are netsh,
MacIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
|System Information Discovery||Discovery||An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
MacOn Mac, the
|System Network Configuration Discovery||Discovery||Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.|
|System Network Connections Discovery||Discovery||Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Mac and LinuxIn Mac and Linux,
|System Owner/User Discovery||Discovery||===Windows===
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
On Mac, the currently logged in user can be identified with
LinuxOn Linux, the currently logged in user can be identified with
|System Service Discovery||Discovery||Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.|
|System Time Discovery||Discovery||The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.78
An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing |
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.
- Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.
- Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018.
- Holland, J. (2016, January 25). User password policies on non AD machines. Retrieved April 5, 2018.
- Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.
- Microsoft. (n.d.). System Time. Retrieved November 25, 2016.
- Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.
- Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.