Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what is around their entry point in order to discover how it could benefit their current objective.
Tactic Overview
Tactic ID: TA0007 — Matrix: Enterprise — Techniques: 34
The Discovery tactic represents a phase in the adversary lifecycle where the adversary is trying to figure out your environment. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 34 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (34)
The following techniques are categorized under the Discovery tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1087 | Account Discovery (4 sub-techniques) | Adversaries enumerate local, domain, email, and cloud accounts to understand the environment and identify targets for lateral movement. | T1087 |
T1010 | Application Window Discovery | Adversaries list open application windows to understand user activity and identify targets of interest. | T1010 |
T1217 | Browser Information Discovery (2 sub-techniques) | Adversaries enumerate browser information including bookmarks, history, and saved passwords to gather intelligence. | T1217 |
T1580 | Cloud Infrastructure Discovery | Adversaries discover cloud infrastructure resources like VMs, storage, and networking components to map the cloud environment. | T1580 |
T1538 | Cloud Service Dashboard | Adversaries access cloud service dashboards (GCP, AWS, Azure portals) to discover resources and gather configuration information. | T1538 |
T1526 | Cloud Service Discovery | Adversaries enumerate cloud services and features to understand the cloud architecture and identify attack opportunities. | T1526 |
T1619 | Cloud Storage Object Discovery | Adversaries enumerate objects within cloud storage services (S3 buckets, Azure Blobs) to identify sensitive data for collection. | T1619 |
T1613 | Container and Resource Discovery | Adversaries enumerate containers, pods, and container resources to understand the container orchestration environment. | T1613 |
T1622 | Debugger Evasion | Adversaries check for debugging environments and modify behavior to evade analysis by security researchers. | T1622 |
T1652 | Device Driver Discovery | Adversaries enumerate device drivers to identify installed security products and kernel-mode protections. | T1652 |
T1482 | Domain Trust Discovery | Adversaries enumerate domain trusts to identify opportunities for lateral movement across trusted domains. | T1482 |
T1083 | File and Directory Discovery | Adversaries enumerate files and directories to understand the file system structure and locate sensitive data. | T1083 |
T1615 | Group Policy Discovery | Adversaries discover Group Policy settings to understand security configurations and identify policy-based attack opportunities. | T1615 |
T1680 | Local Storage Discovery | Adversaries search local browser storage (localStorage, sessionStorage, IndexedDB) for sensitive data. | T1680 |
T1654 | Log Enumeration | Adversaries enumerate log files to understand monitoring capabilities and identify logged activity. | T1654 |
T1046 | Network Service Discovery | Adversaries scan for running services on remote hosts to identify exploitable services and open ports. | T1046 |
T1135 | Network Share Discovery | Adversaries enumerate network shares to identify accessible shared resources containing sensitive data. | T1135 |
T1040 | Network Sniffing | Adversaries sniff network traffic to capture credentials and sensitive data transmitted over the network. | T1040 |
T1201 | Password Policy Discovery | Adversaries discover password policy settings to inform credential attacks like brute force attempts. | T1201 |
T1120 | Peripheral Device Discovery | Adversaries discover connected peripheral devices like USB drives, printers, and cameras. | T1120 |
T1069 | Permission Groups Discovery (3 sub-techniques) | Adversaries enumerate permission groups and group memberships to understand access hierarchies. | T1069 |
T1057 | Process Discovery | Adversaries enumerate running processes to understand active software, security products, and user activity. | T1057 |
T1012 | Query Registry | Adversaries query the Windows Registry to gather system configuration and installed software information. | T1012 |
T1018 | Remote System Discovery | Adversaries discover remote systems on the network to identify targets for lateral movement. | T1018 |
T1518 | Software Discovery (2 sub-techniques) | Adversaries enumerate installed software to identify security tools, applications, and potential vulnerabilities. | T1518 |
T1082 | System Information Discovery | Adversaries gather detailed system information including OS version, architecture, hostname, and hardware details. | T1082 |
T1614 | System Location Discovery (1 sub-techniques) | Adversaries determine the geographic location of the system using locale settings, time zones, and keyboard layouts. | T1614 |
T1016 | System Network Configuration Discovery (2 sub-techniques) | Adversaries discover network configuration details including IP addresses, DNS settings, gateways, and routing tables. | T1016 |
T1049 | System Network Connections Discovery | Adversaries discover active network connections to understand communication patterns and identify connected systems. | T1049 |
T1033 | System Owner/User Discovery | Adversaries identify the current user, logged-in users, and user permissions on compromised systems. | T1033 |
T1007 | System Service Discovery | Adversaries enumerate system services to understand running software and identify targets for modification. | T1007 |
T1124 | System Time Discovery | Adversaries query system time to understand time zones and schedule operations accordingly. | T1124 |
T1673 | Virtual Machine Discovery | Adversaries discover virtual machines in the environment to identify additional targets and understand infrastructure. | T1673 |
T1497 | Virtualization/Sandbox Evasion (3 sub-techniques) | Adversaries check for signs of virtualized or sandboxed environments to evade analysis and only execute on real targets. | T1497 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Network segmentation
- Limit unnecessary tools
- Monitor for enumeration commands
- Honeypots and deception technology
- Least privilege access
Detection Strategies
Effective detection of Discovery techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Discovery tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Discovery Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026