# Discovery

## Tactic Description

Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.

## Techniques

Below is a list of all the Discovery techniques in enterprise:

NameTacticsTechnical Description
Account DiscoveryDiscoveryAdversaries may attempt to get a listing of local system or domain accounts.

### Windows

Example commands that can acquire this information are net user, net group <groupname>, and net localgroup <groupname> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

### Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

### Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.
Application Window DiscoveryDiscoveryAdversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small AppleScript script.
File and Directory DiscoveryDiscoveryAdversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

### Windows

Example utilities used to obtain this information are dir and tree.Windows Commands JPCERT Custom tools may also be used to gather file and directory information and interact with the Windows API.

### Mac and Linux

In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.
Network Service ScanningDiscoveryAdversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
Network Share DiscoveryDiscoveryNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

### Windows

File sharing over a Windows network occurs over the SMB protocol.Wikipedia Shared ResourceTechNet Shared Folder

Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.

### Mac

On Mac, locally mounted shares can be viewed with the df -aH command.
Peripheral Device DiscoveryDiscoveryAdversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Permission Groups DiscoveryDiscoveryAdversaries may attempt to find local system or domain-level groups and permissions settings.

### Windows

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

### Mac

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

### Linux

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.
Process DiscoveryDiscoveryAdversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.

### Windows

An example command that would obtain details on processes is "tasklist" using the Tasklist utility.

### Mac and Linux

In Mac and Linux, this is accomplished with the ps command.
Query RegistryDiscoveryAdversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.Wikipedia Windows Registry Some of the information may help adversaries to further their operation within a network.
Remote System DiscoveryDiscoveryAdversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.

### Windows

Examples of tools and commands that acquire this information include "ping" or "net view" using Net.

### Mac

Specific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems.

### Linux

Utilities such as "ping" and others can be used to gather information about remote systems.
Security Software DiscoveryDiscoveryAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.

### Windows

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.

### Mac

It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
System Information DiscoveryDiscoveryAn adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

### Windows

Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories.

### Mac

On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
System Network Configuration DiscoveryDiscoveryAdversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
System Network Connections DiscoveryDiscoveryAdversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

### Windows

Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.

### Mac and Linux

In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session".
System Owner/User DiscoveryDiscovery===Windows===

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.

### Mac

On Mac, the currently logged in user can be identified with users,w, and who.

### Linux

On Linux, the currently logged in user can be identified with w and who.
System Service DiscoveryDiscoveryAdversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.
System Time DiscoveryDiscoveryThe system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.MSDN System TimeTechnet Windows Time Service An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.Technet Windows Time Service The information could be useful for performing other techniques, such as executing a file with a Scheduled TaskRSA EU12 They're Inside, or to discover locality information based on time zone to assist in victim targeting.