Overview of MITRE ATT&CK Tactic: TA0007 – Discovery

Introduction

Discovery is the phase where attackers explore the environment they’ve gained access to. Their goal is to understand the environment before making their next move. They gather details about systems, users, network connections, and configurations to identify valuable targets and possible paths for escalation or movement.

Unlike the destructive stages of an attack, Discovery tends to look like normal administrative behavior, i.e. commands to list users, check shares, query services, or scan networks. That’s what makes it both subtle and dangerous. What appears as routine system activity could be an intruder mapping out your internal network.

This article explains various techniques and sub-techniques involved in Discovery phase and how f5 solutions can be of help in detecting and mitigating these techniques / sub-techniques.

Techniques and Sub-Techniques

T1087 - Account Discovery

Account Discovery is the process of listing user and service accounts to identify administrators, service identities, and other high-value accounts an attacker might exploit. It often uses ordinary admin tools and commands, so that the activity can appear routine, but the information gathered guides next steps like lateral movement.

T1087.001 - Local Account

Local Account Discovery is the process of listing local user accounts on a system to identify administrators and service accounts an attacker might exploit. It often uses standard OS utilities, so the activity can appear routine while exposing targets for escalation or persistence.
T1087.002 - Domain Account

Domain Account Discovery is the process of enumerating domain users and groups (via LDAP/AD queries, PowerShell, or directory tools) to find privileged identities and group memberships. These look like normal admin queries but map high-value targets for lateral movement.
T1087.003 - Email Account

Email Account Discovery is the process of enumerating mailboxes, distribution lists, and address-book entries to identify users and service addresses an attacker could abuse for phishing, account takeover, or data access. It typically leverages normal mail/server APIs and can blend with legitimate admin or support activity.
T1087.004 - Cloud Account

Cloud Account Discovery is the process of listing cloud IAM users, roles, and service principals (via cloud APIs or CLIs) to find identities with elevated permissions. It uses legitimate API calls, so it can look ordinary while revealing routes to access cloud resources.

T1010 - Application Window Discovery

Application Window Discovery is the process of listing open application windows and their titles to identify running programs, user activity, or visible sensitive information an attacker might use for targeting or tailoring attacks.

T1217 - Browser Information Discovery

Browser Information Discovery is the process of collecting browser details (installed extensions, stored profiles, user agents, saved logins) to find credentials, session information, or weaknesses that can be leveraged for account takeover or web-based attacks.

T1580 - Cloud Infrastructure Discovery

Cloud Infrastructure Discovery is the process of enumerating cloud resources (instances, networks, subnets, load balancers) and their configurations to map the cloud environment and identify targets or misconfigurations for later exploitation.

T1538 - Cloud Service Dashboard

Cloud Service Dashboard discovery is the process of accessing and inspecting cloud management consoles or dashboards to locate service settings, credentials, and controls that provide broad access to cloud resources.

T1526 - Cloud Service Discovery

Cloud Service Discovery is the process of identifying which cloud services and platforms are in use (storage, compute, databases, IAM) so an attacker knows where valuable data and privilege boundaries exist.

T1619 - Cloud Storage Object Discovery

Cloud Storage Object Discovery is the process of listing buckets/containers and their objects to find exposed data, backups, or configuration files that may contain credentials or sensitive information.

T1613 - Container and Resource Discovery

Container and Resource Discovery is the process of enumerating containers, images, orchestration metadata, and host resources to find misconfigured containers, sensitive images, or privileged runtime access that can be abused.

T1622 - Debugger Evasion

Debugger Evasion is the set of techniques aimed at detecting or avoiding debuggers and analysis tools so malicious code can run without being inspected, making it harder for defenders to analyse or interrupt the attack.

T1652 - Device Driver Discovery

Device Driver Discovery is the process of enumerating installed drivers and their versions to identify drivers that run with elevated privileges or contain known vulnerabilities. Attackers use this information to locate components that may permit deeper access to the operating system

T1482 - Domain Trust Discovery

Domain Trust Discovery involves understanding how domains are connected through trust relationships. By mapping these links, attackers can find paths to move laterally between networks or escalate their access across environments.

T1083 - File and Directory Discovery

File and Directory Discovery is the systematic inspection of file systems to locate sensitive documents, configuration files, backups, and credential stores. This activity helps attackers determine where valuable data and access points reside.

T1615 - Group Policy Discovery

Group Policy Discovery is the examination of Group Policy Objects and applied policies to learn how systems and accounts are configured and managed. Attackers seek policy settings or scripts that might be abused for escalation or persistence.

T1046 - Network Service Discovery

Network Service Discovery is the identification of active services, open ports, and reachable hosts on a network. This reconnaissance provides a map of potential targets and informs subsequent exploitation or pivoting decisions.

T1057 - Process Discovery

Process Discovery is the enumeration of running processes to identify active applications, management agents, and security tools. Attackers use this insight to select processes for injection, monitoring, or to avoid detection.

T1012 - Query Registry

Query Registry is the examination of Windows registry keys and values to locate configuration data, startup entries, service parameters, or pointers to stored credentials and persistence mechanisms. Attackers use this to discover how software and services are configured, where secrets or startup hooks live, and which registry entries can be abused for persistence or information gathering.

T1018 - Remote System Discovery

Remote System Discovery is the mapping of reachable hosts, services, and shares on the network to identify neighbor systems and potential pivot points. Adversaries perform this to build a host-level picture of the environment and choose promising targets for lateral movement.

T1518 - Software Discovery

Software Discovery is the inventorying of installed applications, agents, and packages to identify potentially vulnerable or high-value software and management tooling. Attackers use this to select compatible exploits, locate management interfaces, or find components that grant elevated capabilities.

T1518.001 - Security Software Discovery
Security Software Discovery targets the identification of antivirus, EDR, and logging solutions and, where possible, basic configuration or management endpoints. Attackers use this insight to understand visibility and plan evasion or disablement strategies.
T1518.002 - Backup Software Discovery
Backup Software Discovery is the identification of backup solutions, repositories, and schedules to find archives or recovery points that contain broad datasets or credentials. Adversaries target backups for data theft or to remove recovery options during sabotage.

T1082 - System Information Discovery

System Information Discovery is the collection of host metadata—operating system, patch level, hardware identifiers, and environment details—to evaluate exploitability and tool compatibility. Attackers rely on this data to choose appropriate payloads and assess which techniques will work reliably.

T1614 - System Location Discovery

System Location Discovery determines a system’s physical site, subnet, or cloud region to inform targeting, nearby pivot choices, and exfiltration planning. Location context helps attackers pick plausible paths and avoid geofenced or restricted targets.

T1614.001 - System Language Discovery
System Language Discovery inspects locale and language settings to tailor social-engineering, localize payloads, or bypass language-specific detections. Localized content increases credibility and can reduce false positives against multilingual defenses.

T1016 - System Network Configuration Discovery

System Network Configuration Discovery involves gathering of interface details, routing tables, DNS, and proxy settings to understand how a host communicates, and which network paths are available. Attackers use this to determine reachable targets, egress options, and suitable command-and-control channels.

T1016.001 - Internet Connection Discovery
Internet Connection Discovery checks proxy, gateway, and egress configurations to determine how a host can reach the internet and which channels are available for command-and-control or data exfiltration. This informs selection of resilient external communication methods.
T1016.002 - Wi-Fi Discovery
Wi-Fi Discovery enumerates wireless interfaces and nearby networks to identify alternate access paths, cached wireless credentials, or local lateral opportunities via nearby wireless infrastructure. Attackers may harvest saved SSIDs or leverage nearby networks to expand access.

T1049 - System Network Connections Discovery

System Network Connections Discovery lists active sockets and established connections to reveal live communications, ongoing sessions, and services in use. Attackers use this to identify active admin sessions, open channels, or opportunities for session reuse.

T1033 - System Owner/User Discovery

System Owner/User Discovery identifies the primary user or owner of a device to prioritize targets, tailor social-engineering, or select accounts likely to have useful access. Targeting a device’s main user often yields richer credentials or contextual information.

T1007 - System Service Discovery

System Service Discovery enumerates installed and running services to find those operating with elevated privileges, insecure configurations, or exploitable binaries that present persistence or escalation opportunities.

T1124 - System Time Discovery

System Time Discovery reads clocks, time zones, and uptime to coordinate scheduled actions, detect sandbox acceleration, or adjust timing for stealth. Time analysis helps attackers ensure payloads run at opportune moments and avoid analysis artifacts.

T1673 - Virtual Machine Discovery

Virtual Machine Discovery is the process of gathering instance or hypervisor data. Attackers use this to decide whether hypervisor-specific techniques or cloud metadata access are viable.

T1497 - Virtualization/Sandbox Evasion

Virtualization/Sandbox Evasion comprises techniques that detect analysis environments and alter or suppress malicious behavior, so payloads execute only in intended, real-world targets. This reduces the likelihood of automated analysis and increases operational longevity.

T1497.001 - System Checks
System Checks are probes for virtualization artifacts like drivers, device names, registry entries, or other markers that indicate the presence of a VM or sandbox and inform evasion decisions.
T1497.002 - User Activity-Based Checks
User Activity-Based Checks verify human-like activity (keyboard/mouse events, recent document access) before enabling sensitive actions, thereby avoiding execution in automated analysis environments.
T1497.003 - Time-Based Checks
Time-Based Checks use timing characteristics like uptime, sleep durations, or clock behavior to detect instrumented or accelerated environments and delay or modify execution accordingly.

How F5 Can Help

F5 solutions help organizations defend against Discovery activities by minimizing what attackers can see or access within a network.

By observing traffic patterns and identifying unusual or probing behavior, F5 can flag initial survey attempts. It also limits system responses that might reveal internal details, making it harder for adversaries to map the environment or identify valuable targets. This proactive control helps to stop attacks before they progress beyond the information-gathering stage.

For more information, please contact your local F5 sales team.

Conclusion

Discovery is a critical phase in the attack lifecycle, where adversaries gather knowledge to plan their next moves. Understanding how these methods work allows defenders to detect early warning signs and limit the information available to potential attackers.