The 9th tactic in the MITRE ATT&CK Enterprise Matrix is a fun one. ATT&CK’s Discovery is essential in any operation. No matter how solid the recon efforts are prior, circumstances change. All of the preparation in the world can’t replace updated intelligence. To be effective and achieve the end goals, adversaries need to dig deeper and gain knowledge of the environment. Both physical adversaries and cyber adversaries practice this behavior, but with slightly different stakes. In both cases, the discovery efforts not only help refocus the operation and steer towards objectives, but it also offers intel that can help the adversary cover their tracks. Let’s take a look at how discovery happens and what it can bring!

The importance of Discovery

Reconnaissance (TA0043) equips adversaries with an idea of what they will encounter. This step’s value is unquestionable. Much of the operations early stages are influenced by those findings. Traditional invaders might have insight on garrison levels, weapon locations, relative morale, and command structure. Cyber adversaries similarly will use recon to determine the initial access method, some starter identities, and systems and defenses they’ll likely face. But recon alone has its limits. There is no substitute for being there – for seeing the lay of the land and adjusting accordingly. Recon prior to an incursion can’t reveal all conditions, and it will not be able to predict movements and adjustments made my the defenders. Similarly, cyber recon is unable to reveal more technical details, such as paths, locations, registry entries and the like. Once inside an environment, adversaries must gain these insights to inform their next steps.

Discovery techniques help adversaries uncover lots of useful nuggets. What sorts of defensive tools, policies, and configurations are in place? Where have the defenders hidden their secrets or sensitive information? What tools do the target systems offer that may be of use? With this information, adversaries adjust their plans to more quietly and reliably obtain their end-goals.

meterpreter > powershell_execute 'Get-Process | Where-Object -Property Name -EQ "lsass"'
[+] Command execution completed:

Handles  NPM(K) PM(K)  WS(K)     CPU(s)     Id  SI ProcessName
-------  ------ -----  -----     ------     --  -- -----------
   1213      25  5643  18200       1.17    231   0 lsass

Tracking down hashes for credential access is a super popular goal in ATT&CK’s Discovery techniques. Here the adversary is using a meterpreter session but abusing Powershell to glean the information.

Discovery’s role in correcting assumptions: June 6th, 1044

For almost two years of World War II, several of the Allies (US, UK, Canada, the Free French Forces, and units from Poland, Belgium, Netherlands, and Norway) planned the invasion at Normandy. Veterans of the campaign recall the extensive use of sand tables and the selection of English countryside environments that best mimicked the eventual access paths through Omaha, Utah, Juno, Gold, and Sword Beaches. The paratroopers and glider infantry were similarly drilled. The planners chose these locations and tactics based on the best reconnaissance available over that time. They selected these initial access vectors for the invasion based on an assessment of the German “Atlantic Wall” fortifications and perceived troop strengths.

“Do not try to make circumstances fir your plans. Make plans that fit the circumstances.”

General George S. Patton (who was not at D-Day and instead used as the commander of a Deception plan, Operation Bodyguard)

This recon and intelligence was perishable and incomplete. Weather, tides, and misinterpreted aerial photographs saw most beach landings and airborne drops miss their marks, encounter unforeseen obstacles, or heavier German resistance. By the end of the first day, not a single Allied objective had been accomplished. Had the Allies placed too much importance on their recon, the invasion would have failed. Luckily, Eisenhower and his staff understood the importance of improvisation. Soldiers landing in Normandy quickly assessed their surroundings, discovered the resources and paths available to them, and coordinated attacks and movements no amount of pre-invasion planning could have anticipated.

Needless to say, everyone from Eisenhower on down hoped for better news after their initial access, but they did not let their less-than-graceful start hold them up for long. (from the Montgomery account “Normandy to the Baltic” as shown here.)

Adversarial Agility: Discovery’s role in cyber attacks

Any Red Teams or adversaries worth their salt use discovery as an essential element to their operations. Unless the target environment was freshly breached or already accessed by the adversary or their friends, it will be impossible to account for all of the detailed on-system information that they’ll need. Information hogs the spotlight, but in recent years savvy attackers also look for tools in target systems that they can abuse – the so called Living-off-the-Land binaries (LOLBins). The new orientation with respect to objectives and an assessment of available tools dramatically influence the plans of a sophisticated threat actor. Some threat actors, like Admin@338 focus a great deal of their time exploring after their initial access, as seen below.

ADMIN@338 seems to have no qualms about sneaking a peek once inside the target environment, using ‘advanced’ Windows tools like dir, netstat, ipconfig, and systeminfo (from https://ma-insights.vercel.app/adversaries)

Looking at some more notable campaigns in cybersecurity lore, STUXNET stands out here. In the 2007-2010 time frame, a state-sponsored adversary delivered multiple surgically tailored malware payloads to an air-gapped environment with the objective of disrupting the Iranian regime’s ability to enrich Uranium for weapons. Iran’s antagonists went so far as to uncover specific model numbers and versions of firmware running on Iranian centrifuges. They also spent considerable time after initial access making small tweaks to their actions and measuring the impact. The cryptic messaging and reactions of the Iranian scientists were in effect feedback from discovery activities, and allowed the attackers to adjust their work for greater impact. For what it is worth, Kim Zetter’s book “Countdown to Zero Day” is a fantastic look at this modern caper, and shows what extremes an APT may take ATT&CK’s Discovery to!

Stuxnet’s more detailed attack chains are a lesson in patience and surgical precision, but even in this FT rendering, Stage 3 shows the importance of the malware-driven discovery to proceed.

Discovery: if you’re not cheating, you’re not trying (apparently)

ATT&CK’s Discovery (TA0007) Tactic offers a ton of variety in the 32 techniques it covers. Some of the techniques have a very distinct focus, and I have tried to sort them based on the primary use case. While Local System discovery used to be all the rage, cloud discovery has become a discipline all its own. Likewise, adversaries who run custom tools but fear capture spend considerable effort in evading detection techniques like sandboxes or honeypots. Network discovery is a classic with tons of variety for acquiring useful intel.

Cloud & ContainerLocal SystemNetworkEvasion
Cloud Service Dashboard (T1538)Application Window Discovery (T1010)Network Share Discovery (T1135)Virtualization/Sandbox Evasion (T1497)
Cloud Storage Object Discovery (T1619)File and Directory Discovery (T1083)Remote System Discovery (T1018)Debugger Evasion (T1622)
Account Discovery (T1087)Local Account Discovery (T1087)System Network Configuration Discovery (T1016)System Time Discovery (T1124)
Cloud Infrastructure Discovery (T1580)Network Configuration Discovery (T1016)System Network Connections Discovery (T1049)
Cloud Service Discovery (T1526)Browser Information Discovery (T1217)System Owner/User Discovery (T1033)
Container and Resource Discovery (T1613)Password Policy Discovery (T1201)Network Security Appliance Discovery (T1600)
Device Driver Discovery (T1652)Domain Trust Discovery (T1482)
Peripheral Device Discovery (T1120)Group Policy Discovery (T1615)
Process Discovery (T1057)Log Enumeration (T1654)
Query Registry (T1012)Network Service Discovery (T1046)
Software Discovery (T1518)Network Sniffing (T1040)
System Owner/User Discovery (T1033)
Permission Groups Discovery (T1069)
System Information Discovery (T1614)
System Service Discovery (T1007)
These categories are not absolute, but this should help show where the primary focus for each technique tends to be.

What should stand out is that there are some overlapping techniques, some of which deliver similar outcomes. I am curious from folks who work in both on-premises environments and in Azure just how much discovery in both leverages similar strategies, especially around accounts and services. Adversaries have a lot of choices in how they implement their procedures and ATT&CK’s Discovery pages provide a lot of insight into how adversaries carry out their ops. As an ATT&CK hobbyist, these style points look like an area for significant differentiation from APT to APT.

How to we avoid the glare of Adversary Discovery?

Some amount of discovery activity is inevitable. And a few of the techniques should never see legitimate use, but what do we do about the rest? Most organizations should look to detect abnormal use of these techniques. The patterns of odd users in strange places reveal a lot and can even point to other behaviors that spawned them. Sometimes forgotten is that while we may not want to disable the tools used in discovery, we may be able to restrict what they have access to. The less a particular procedure discloses, the more difficult the attacker’s job, and the less enticing the target environment is. After all, if we give up just because a direct mitigation isn’t available, what fun is that?

Don’t give up, folks! You can still detect and take a higher level action!

So what are those potential mitigations?

  • Harden the environment: operating system and infrastructure device configurations should include restrictions on who can enumerate information.
  • User Account Management: strict permissions and privilege account management are essential to reducing the danger posed by an incursion. Add MFA in there too while you are at it!
  • Log Collection & Monitoring: the abuse of LOLBins in an environment is most easily seen in logs, whether from the OS itself or from an EDR agent protecting it. Looking for command execution, process creation, or API calls (which may call for other API-focused detection solutions) is invaluable.
  • Access Restrictions & Segmentation: along with User Account Management, this bucket of mitigations ensures that the span of what an adversary can see is severly restricted. Think of this as obfuscation – like a smoke screen or the use of hedgerows in your environment.
  • Audit: in domains, trust relationships tie closely with roles and services. Make sure those are configured properly and track any changes.
  • Encryption: at rest or in motion, it is harder for adversaries to harvest sensitive information if you make it unreadable. Not perfect, but it can reduce the impact of a leak!

Conclusion

Discovery is where a lot of adversaries end up developing habits, and those habits become behaviors we can detect. As you explore MITRE ATT&CK’s database, it is amazing how so many of the techniques in ATT&CK’s Discovery tactic lack a reasonable mitigation. Every one of these techniques, however has a data source listed (previously known as detections). These are key to reacting in time to the inevitable discovery activities of your adversary.

The German High Command missed some of those opportunities, or downplayed them altogether. It may be that they were still convinced that a larger landing may hit Calais, or that they were thrown off by the same chaos the Allies were when so many paratroopers and glider infantry were dropped way off course. One side improvised heavily, supported by the trust and preparation offered them by their command structure. The other was highly centralized, and inflexible. One shudders to think what would have happened if Hitler had not kept 3 Panzer divisions in reserve by his orders alone. Or if he had instilled more autonomy into his field generals to improvise and respond.

Discovery and improvisation allowed the allies to reevaluate and make progress in the days that followed. Recon alone would have been disastrous. (from the Montgomery account “Normandy to the Baltic” as shown here.)

In our discussion of the stakes in last week’s post, we saw that the relative insulation of operating digitally offered cover and reduced tangible risk to the aggressors. They could stand to burn credential sets in their efforts, and had plenty to spare. The same can be said in ATT&CK’s Discovery tactic. With the exception of highly sensitive intelligence operations, or nation-state positioning inside of critical infrastructure, there is almost always room to make some mistakes or try new things. This says as much about the versatility and boldness of attackers as it does about our inability to stand in the way, or to even see it happening. So get your detection house in order, folks!

I hope this post on the MITRE ATT&CK’s Discovery tactic has been worth the wait, and that you find it helpful! please reach out if you would like to continue the conversation!