212 indexed
ATT&CKATT&CK techniques
212 top-level MITRE ATT&CK Enterprise techniques (T-IDs), grouped by tactic. Filter to a tactic or browse the full kill chain, then click into a technique for sub-techniques and mitigations. Authored by Adam Lundqvist.
29 in Discovery · 212 total
| ID | Title | Summary |
|---|---|---|
| T1007 | System Service Discovery | Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS u… |
| T1010 | Application Window Discovery | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevaili… |
| T1012 | Query Registry | Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a sign… |
| T1016 | System Network Configuration Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information d… |
| T1018 | Remote System Discovery | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Moveme… |
| T1033 | System Owner/User Discovery | Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using t… |
| T1046 | Network Service Discovery | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable t… |
| T1049 | System Network Connections Discovery | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by queryi… |
| T1057 | Process Discovery | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/… |
| T1069 | Permission Groups Discovery | Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available… |
| T1082 | System Information Discovery | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architec… |
| T1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Ad… |
| T1087 | Account Discovery | Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can… |
| T1120 | Peripheral Device Discovery | Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery L… |
| T1124 | System Time Discovery | An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a … |
| T1135 | Network Share Discovery | Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection a… |
| T1201 | Password Policy Discovery | Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are … |
| T1217 | Browser Information Discovery | Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and bro… |
| T1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain… |
| T1518 | Software Discovery | Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the in… |
| T1526 | Cloud Service Discovery | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), … |
| T1538 | Cloud Service Dashboard | An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific s… |
| T1580 | Cloud Infrastructure Discovery | An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes co… |
| T1613 | Container and Resource Discovery | Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, depl… |
| T1614 | System Location Discovery | Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Loc… |
| T1615 | Group Policy Discovery | Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to disco… |
| T1619 | Cloud Storage Object Discovery | Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors… |
| T1652 | Device Driver Discovery | Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-o… |
| T1654 | Log Enumeration | Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as us… |