ATAGS Tactic: Discovery
| ID | Name | Description | |
| ATAGS-T1127 | Account Discovery | Threat actors may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help Threat actors determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts). | |
| .001 | Local Account | Threat Actors may attempt to get a listing of local system accounts. This information can help Threat Actors determine which local accounts exist on a system to aid in follow-on behavior. | |
| .002 | Domain Account | Threat Actors may attempt to get a listing of domain accounts. This information can help Threat Actors determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. | |
| .003 | Email Account | Threat Actors may attempt to get a listing of email addresses and accounts. Threat Actors may try to dump Exchange address lists such as global address lists (GALs). | |
| .004 | Cloud Account | Threat Actors may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. | |
| ATAGS-T1128 | Browser Information Discovery | Threat actors may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. | |
| ATAGS-T1129 | Cloud Infrastructure Discovery | Threat actors may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. | |
| ATAGS-T1130 | Cloud Service Dashboard | Threat actors may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, review findings of potential security risks, and run additional queries, such as finding public IP addresses and open ports. | |
| ATAGS-T1131 | Cloud Service Discovery | Threat actors may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. | |
| ATAGS-T1132 | Cloud Storage Object Discovery | Threat actors may enumerate objects in cloud storage infrastructure. Threat actors may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) Threat actors may access the contents/objects stored in cloud infrastructure. | |
| ATAGS-T1133 | Cloud/Organization Policy Discovery | Threat actors may gather information on Cloud Organization Policies (e.g., AWS SCPs) or IAM boundaries to identify paths for privilege escalation and understand the security constraints applied to the tenancy. | |
| ATAGS-T1134 | Container and Resource Discovery | Threat actors may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. | |
| ATAGS-T1135 | Device Driver Discovery | Threat actors may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation). | |
| ATAGS-T1136 | File and Directory Discovery | Threat actors may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Threat actors may use the information from File and Directory Discoveryduring automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| ATAGS-T1137 | Ground Network Sniffing | Threat actors may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Threat actors may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. | |
| ATAGS-T1138 | Key Management Policy Discovery | Threat actors may try to gather information about Key Management Policy implemented. Security Policies are rules and regulations that describe the operational procedures required for proper key management. This includes the specification of rules for processes such as generation, distribution, and allowed use for cryptographic keys. | |
| ATAGS-T1139 | Link segment Sniffing | Threat actors may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Threat actors may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. In the context of GSaaS, it includes the interception of digitized RF streams (VITA 49) and monitoring of the IF (Intermediate Frequency) spectrum data if accessible via network interfaces. | |
| ATAGS-T1140 | Local Storage Discovery | Threat actors may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform Lateral Movement, or as a precursor to Direct Volume Access. | |
| ATAGS-T1141 | Log Enumeration | Threat actors may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for Threat actors, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery). | |
| ATAGS-T1142 | Network Service Discovery | Threat actors may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system. | |
| ATAGS-T1143 | Network Share Discovery | Threat actors may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. | |
| ATAGS-T1144 | Password Policy Discovery | Threat actors may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). | |
| ATAGS-T1145 | Peripheral Device Discovery | Threat actors may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. | |
| ATAGS-T1146 | Permission Groups Discovery | Threat actors may attempt to discover group and permission settings. This information can help Threat actors determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. | |
| .001 | Local Groups | Threat Actors may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help Threat Actors determine which groups exist and which users belong to a particular group. Threat Actors may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. | |
| .002 | Domain Groups | Threat Actors may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help Threat Actors determine which groups exist and which users belong to a particular group. Threat Actors may use this information to determine which users have elevated permissions, such as domain administrators. | |
| .003 | Cloud Groups | Threat Actors may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help Threat Actors determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. | |
| ATAGS-T1147 | Process Discovery | Threat actors may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Threat actors may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| ATAGS-T1148 | Remote System Discovery | Threat actors may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, net view using Net, or, on ESXi servers, esxcli network diag ping. | |
| ATAGS-T1149 | Remote System Information Discovery | Threat actors may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Threat actors may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. | |
| ATAGS-T1150 | Software Discovery | Threat actors may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Threat actors may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| .001 | Security Software Discovery | Threat Actors may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Threat Actors may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| .002 | Backup Software Discovery | Threat Actors may attempt to get a listing of backup software or configurations that are installed on a system. Threat Actors may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact. | |
| ATAGS-T1151 | System Information Discovery | Threat actors may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Threat actors may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is Threat actors's discovery of local drive, disks and/or volumes. | |
| ATAGS-T1152 | System Location Discovery | Threat actors may gather information in an attempt to calculate the geographical location of a victim host. Threat actors may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| .001 | System Language Discovery | Threat Actors may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities. | |
| ATAGS-T1153 | System Network Configuration Discovery | Threat actors may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. | |
| .001 | Internet Connection Discovery | Threat Actors may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites, or performing initial speed testing to confirm bandwidth. | |
| .002 | Wi-Fi Discovery | Threat Actors may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Threat Actors may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Accessactivity to support both ongoing and future campaigns. | |
| ATAGS-T1154 | System Network Connections Discovery | Threat actors may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. | |
| ATAGS-T1155 | System Owner/User Discovery | Threat actors may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Threat actors may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| ATAGS-T1156 | System Service Discovery | Threat actors may try to gather information about registered local system services. Threat actors may obtain information about services using tools as well as OS utility commands. Threat actors may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| ATAGS-T1157 | Trust Relationships Discovery | Threat actors may try to gather information about Trust Relationships with other companies or organizations. | |
| ATAGS-T1158 | Virtual Machine Discovery | Threat actors may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, Threat actors may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as esxcli or vim-cmd (e.g. esxcli vm process list or vim-cmd vmsvc/getallvms). Threat actors may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host. | |