Discovery (MITRE Tactic)
What is Discovery (MITRE Tactic)?
Discovery (MITRE Tactic)The MITRE ATT&CK tactic (TA0007) covering techniques attackers use to learn about a compromised environment after gaining access.
Discovery (MITRE ATT&CK tactic TA0007) describes the internal reconnaissance an adversary performs after establishing a foothold. It includes account discovery, system and network configuration discovery, domain trust enumeration, file and directory listing, browser bookmark and password store enumeration, cloud service discovery, security software discovery, and tools like BloodHound for Active Directory attack-path mapping. Discovery is largely a read-only activity, which makes it hard to block directly, but it generates distinctive command-line and API patterns. Defenders use EDR, command-line auditing, deception (honey accounts/files), and detections for tools like BloodHound, AdFind, or net.exe sweeps to catch attackers between Initial Access and Lateral Movement.
● Examples
- 01
Running BloodHound's SharpHound collector to map AD privilege paths to Domain Admin.
- 02
Executing net group "Domain Admins" /domain to enumerate privileged accounts.
● Frequently asked questions
What is Discovery (MITRE Tactic)?
The MITRE ATT&CK tactic (TA0007) covering techniques attackers use to learn about a compromised environment after gaining access. It belongs to the Defense & Operations category of cybersecurity.
What does Discovery (MITRE Tactic) mean?
The MITRE ATT&CK tactic (TA0007) covering techniques attackers use to learn about a compromised environment after gaining access.
How does Discovery (MITRE Tactic) work?
Discovery (MITRE ATT&CK tactic TA0007) describes the internal reconnaissance an adversary performs after establishing a foothold. It includes account discovery, system and network configuration discovery, domain trust enumeration, file and directory listing, browser bookmark and password store enumeration, cloud service discovery, security software discovery, and tools like BloodHound for Active Directory attack-path mapping. Discovery is largely a read-only activity, which makes it hard to block directly, but it generates distinctive command-line and API patterns. Defenders use EDR, command-line auditing, deception (honey accounts/files), and detections for tools like BloodHound, AdFind, or net.exe sweeps to catch attackers between Initial Access and Lateral Movement.
How do you defend against Discovery (MITRE Tactic)?
Defences for Discovery (MITRE Tactic) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Discovery (MITRE Tactic)?
Common alternative names include: Internal reconnaissance, TA0007.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 107
BloodHound
An open-source tool that uses graph theory to map and analyze Active Directory and Azure AD attack paths to high-value targets like Domain Admin.
- defense-ops№ 905
Reconnaissance
The first phase of an attack, in which adversaries gather information about a target's people, technology, and exposure before launching intrusion attempts.
- defense-ops№ 606
Lateral Movement
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.