Mobile Discovery consists of techniques adversaries use to gain knowledge about a compromised mobile device and its environment. This includes enumerating files, tracking device location, scanning nearby networks, discovering installed applications, and gathering system information to plan subsequent attack phases.
Tactic Overview
Tactic ID: TA0032 — Matrix: Mobile — Techniques: 8
The Discovery tactic represents a phase in the adversary lifecycle where the adversary is trying to figure out your environment. This tactic is part of the MITRE ATT&CK Mobile matrix and encompasses 8 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (8)
The following techniques are categorized under the Discovery tactic in the MITRE ATT&CK Mobile matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1420 | File and Directory Discovery | Adversaries enumerate files and directories on mobile devices to locate sensitive data and applications. | T1420 |
T1430 | Location Tracking (2 sub-techniques) | Adversaries track the physical location of mobile devices using GPS, cell tower data, and Wi-Fi signals. | T1430 |
T1423 | Network Service Scanning | Adversaries scan for network services accessible from compromised mobile devices. | T1423 |
T1424 | Process Discovery | Adversaries enumerate running processes on mobile devices to identify installed security products. | T1424 |
T1418 | Software Discovery (1 sub-techniques) | Adversaries enumerate installed mobile apps to identify security products, targets, and the device profile. | T1418 |
T1426 | System Information Discovery | Adversaries gather mobile device information including OS version, device model, and unique identifiers. | T1426 |
T1422 | System Network Configuration Discovery (2 sub-techniques) | Adversaries discover mobile network configuration including Wi-Fi SSIDs, IP addresses, and carrier information. | T1422 |
T1421 | System Network Connections Discovery | Adversaries enumerate active network connections on mobile devices to map communications. | T1421 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Location permission controls
- App permission management
- Network monitoring
- Device management policies
Detection Strategies
Effective detection of Discovery techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Discovery tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Discovery Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026