“Know your target — before striking.” Once attackers enter a network, their next mission isn’t immediate destruction — it’s information gathering. This phase, called Discovery, is where adversaries map the environment, users, systems, and defenses to plan their next moves like privilege escalation, lateral movement, or data theft.

💡 What Happens in Discovery

Attackers use legitimate tools like PowerShell, CMD, Bash, cloud consoles, or scripts to explore the environment — blending in with normal admin behavior.The goal: understand everything — from who’s logged in to what’s running, what’s protected, and where valuable data hides.

🧩 Key Techniques Under TA0007

Here’s a breakdown of the most common discovery actions, with real-world examples and quick defenses 👇

👤 1. Account Discovery (T1087)

Attackers list local, domain, email, or cloud accounts to identify users with admin rights.🛡️ Tip: Limit directory queries, enable MFA, and alert on bulk account lookups.

🪟 2. Application Window Discovery (T1010)

They enumerate open windows or applications to detect useful tools or security software.🛡️ Tip: Monitor API calls that list window titles or active sessions.

🌐 3. Cloud & Infrastructure Discovery (T1580, T1526, T1538)

In cloud environments, attackers list virtual machines, storage buckets, databases, and dashboards using stolen keys.🛡️ Tip: Enable cloud audit logging and set alerts for large-scale “list” operations.

🧱 4. File and Directory Discovery (T1083)

Adversaries search through folders to locate documents, credentials, and configurations.🛡️ Tip: Restrict access to sensitive directories and monitor recursive file listing.

🧾 5. Log Enumeration (T1654)

They check logs to clean traces or find signs of detection.🛡️ Tip: Centralize and protect log files — only allow security teams to access them.

🌍 6. Network Discovery (T1018, T1049, T1016)

Scanning internal networks reveals connected hosts, open ports, and network settings.🛡️ Tip: Use segmentation and detect internal scans or unusual net view and ping bursts.

🧠 7. Process & Service Discovery (T1057, T1007)

Attackers list running processes and services to find AV, EDR, or valuable applications.🛡️ Tip: Monitor commands like tasklist, ps, or sc query from unknown users.

💻 8. Software & Security Tool Discovery (T1518)

They identify installed software, patch versions, and defensive tools.🛡️ Tip: Restrict registry and program enumeration, and alert when AV names are queried.

🧮 9. System Information Discovery (T1082)

Gathering system names, OS versions, and hardware details helps attackers plan exploits.🛡️ Tip: Watch for mass system info commands and automate host fingerprinting alerts.

🕵️‍♂️ 10. User, Time & Location Discovery (T1033, T1124, T1614)

Checking user names, time zones, and languages helps attackers tailor their behavior or avoid certain regions.🛡️ Tip: Track repeated queries for locale, timezone, or “whoami” from scripts.

🧰 11. Container & VM Discovery (T1613, T1673)

Attackers look for virtual machines, Kubernetes pods, or container images to pivot.🛡️ Tip: Apply RBAC in Kubernetes and monitor API calls that list pods or VMs.

🔐 12. Permission & Group Discovery (T1069)

They check which accounts belong to privileged groups like “Administrators” or “Domain Admins.”🛡️ Tip: Limit group enumeration rights and alert on sudden group-membership checks.

⚙️ Common Tools Used

• PowerShell / WMIC / CMD

• Netstat / Ifconfig / Ipconfig / Nslookup

• ADSI / LDAP / Azure CLI / AWS CLI

• Kubernetes Kubectl / Docker commands
  

🚨 Defensive Recommendations

🧭 1. Least Privilege Everywhere Only allow minimum access to systems, APIs, and directories.

📋 2. Log and Alert All Discovery Behavior Monitor commands like whoami, systeminfo, net view, tasklist, and cloud API enumeration.

🔍 3. Detect Patterns, Not Just Commands Attackers chain actions — e.g., “discover users → list hosts → scan network.” Spot that sequence.

🧱 4. Segment Networks & Isolate Admin Zones Limit how far attackers can move once they map your systems.

🔑 5. Secure the Cloud Plane Enable MFA, restrict IAM permissions, and alert on unusual “list” or “describe” API activity.

🕒 6. Regular Hunt Exercises Perform red-team/blue-team drills that simulate discovery tactics to fine-tune detections.

💬 Final Thought

Discovery is the recon heartbeat of every successful cyberattack. The earlier you detect it, the faster you can stop attackers before they learn your network’s secrets.🔒 Stay vigilant. Keep your environment a mystery to those who shouldn’t explore it.

Would you like me to make a matching minimal-text image (for social/blog post) summarizing this — like a sleek infographic or “Discovery Phase Overview” visual?