环境观察
对手正在尝试观察您的环境。
发现包括攻击者可能用来获取有关系统和内部网络的知识的技术。这些技术可以帮助对手观察环境并在决定如何行动之前确定自己的方向。它们还允许对手探索他们可以控制的内容以及他们的切入点周围的内容,以发现它如何使他们当前的目标受益。本机操作系统工具通常用于实现此后渗透信息收集目标。
技术: 31
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1087 | 帐户发现 | 攻击者可能会尝试获取系统或受感染环境中的有效帐户、用户名或电子邮件地址的列表。此信息可以帮助攻击者确定存在哪些帐户,这有助于后续行为,例如暴力破解、鱼叉式网络钓鱼攻击或帐户接管(例如,有效帐户)。 | |
| .001 | 本地帐户 | 攻击者可能会尝试获取本地系统帐户的列表。此信息可帮助攻击者确定系统上存在哪些本地帐户以帮助执行后续行为。 | |
| .002 | 域帐户 | 攻击者可能会尝试获取域帐户列表。此信息可帮助攻击者确定存在哪些域帐户以帮助后续行为,例如针对具有特定权限的特定帐户。 | |
| .003 | 电子邮件帐户 | 攻击者可能会尝试获取电子邮件地址和帐户的列表。攻击者可能会尝试转储 Exchange 地址列表,例如全局地址列表 (GAL)。 | |
| .004 | 云帐户 | 攻击者可能会尝试获取云帐户列表。云帐户是由组织创建和配置的帐户,供用户、远程支持、服务使用,或用于管理云服务提供商或 SaaS 应用程序中的资源。 | |
| T1010 | 应用程序窗口发现 | 攻击者可能会尝试获取打开的应用程序窗口的列表。窗口列表可以传达有关如何使用系统的信息。例如,有关应用程序窗口的信息可用于识别要收集的潜在数据以及识别要逃避的安全工具(安全软件发现)。 | |
| T1217 | 浏览器信息发现 | 攻击者可能会枚举有关浏览器的信息,以了解有关受感染环境的更多信息。浏览器保存的数据(例如书签、帐户和浏览历史记录)可能会泄露有关用户的各种个人信息(例如,银行网站、关系/兴趣、社交媒体等)以及有关内部网络资源的详细信息,例如服务器、工具/仪表板或其他相关基础设施。 | |
| T1580 | 云基础架构发现 | 攻击者可能会尝试发现基础结构即服务 (IaaS) 环境中可用的基础结构和资源。这包括计算服务资源,如实例、虚拟机和快照,以及其他服务的资源,包括存储和数据库服务。 | |
| T1538 | 云服务仪表板 | 攻击者可能会使用具有被盗凭据的云服务仪表板 GUI,从操作云环境中获取有用的信息,例如特定服务、资源和功能。例如,GCP 命令中心可用于查看所有资产、潜在安全风险的发现以及运行其他查询,例如查找公共 IP 地址和开放端口。 | |
| T1526 | 云服务发现 | 攻击者在获得访问权限后可能会尝试枚举系统上运行的云服务。这些方法可能因平台即服务 (PaaS)、基础结构即服务 (IaaS) 或软件即服务 (SaaS) 而异。许多服务存在于各种云提供商中,可以包括持续集成和持续交付(CI / CD),Lambda Functions,Azure AD等。它们还可能包括安全服务,如AWS GuardDuty和Microsoft Defender for Cloud,以及日志记录服务,如AWS CloudTrail和Google Cloud Audit Logs。 | |
| T1619 | 云存储对象发现 | 攻击者可能会枚举云存储基础结构中的对象。攻击者可能会在自动发现期间使用此信息来塑造后续行为,包括从云存储请求所有或特定对象。与本地主机上的文件和目录发现类似,在识别可用的存储服务(即云基础架构发现)后,攻击者可以访问存储在云基础架构中的内容/对象。 | |
| T1613 | 容器和资源发现 | 攻击者可能会尝试发现容器环境中可用的容器和其他资源。其他资源可能包括映像、部署、Pod、节点和其他信息,例如群集的状态。 | |
| T1622 | 调试器规避 | 攻击者可能会采用各种方法来检测和避免调试器。防御者通常使用调试器来跟踪和/或分析潜在恶意软件有效负载的执行。 | |
| T1652 | 设备驱动程序发现 | 攻击者可能会尝试枚举受害主机上的本地设备驱动程序。有关设备驱动程序的信息可能会突出显示塑造后续行为的各种见解,例如主机的功能/用途、现有安全工具(即安全软件发现)或其他防御措施(例如虚拟化/沙盒规避),以及潜在的可利用漏洞(例如,利用特权升级)。 | |
| T1482 | 域信任发现 | 攻击者可能会尝试收集有关域信任关系的信息,这些信息可用于识别 Windows 多域/林环境中的横向移动机会。域信任为域提供了一种机制,允许根据另一个域的身份验证过程访问资源。域信任允许受信任域的用户访问信任域中的资源。发现的信息可能有助于对手执行 SID 历史注入、传递票证和 Kerberoasting。可以使用 Win32 API 调用、.NET 方法和 LDAP 枚举域信任。已知攻击者使用 Windows 实用程序 Nltest 来枚举域信任。DSEnumerateDomainTrusts() |
|
| T1083 | 文件和目录发现 | 攻击者可能会枚举文件和目录,或者可能在主机或网络共享的特定位置搜索文件系统中的某些信息。攻击者可能会在自动发现期间使用文件和目录发现中的信息来塑造后续行为,包括攻击者是否完全感染目标和/或尝试特定操作。 | |
| T1615 | 组策略发现 | 攻击者可能会收集有关组策略设置的信息,以确定权限提升的路径、域内应用的安全措施,以及发现域对象中可操作或用于混合到环境中的模式。组策略允许集中管理活动目录 (AD) 中的用户和计算机设置。组策略对象 (GPO) 是组策略设置的容器,由存储在可预测网络路径中的文件组成。\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ |
|
| T1046 | 网络服务发现 | 攻击者可能会尝试获取远程主机和本地网络基础结构设备上运行的服务列表,包括那些可能容易受到远程软件攻击的服务。获取此信息的常用方法包括使用系统上的工具进行端口和/或漏洞扫描。 | |
| T1135 | 网络共享发现 | 攻击者可能会查找在远程系统上共享的文件夹和驱动器,作为识别要收集的信息源的一种手段,作为收集的前兆,并确定横向移动的潜在感兴趣系统。网络通常包含共享的网络驱动器和文件夹,使用户能够访问网络中各种系统上的文件目录。 | |
| T1040 | 网络嗅探 | 攻击者可能会嗅探网络流量以捕获有关环境的信息,包括通过网络传递的身份验证材料。网络嗅探是指使用系统上的网络接口来监视或捕获通过有线或无线连接发送的信息。攻击者可能会将网络接口置于混杂模式,以被动访问通过网络传输的数据,或使用 span 端口捕获大量数据。 | |
| T1201 | 密码策略发现 | 攻击者可能会尝试访问有关企业网络或云环境中使用的密码策略的详细信息。密码策略是一种强制实施难以猜测或通过暴力破解的复杂密码的方法。此信息可以帮助攻击者创建常用密码列表,并启动符合策略的字典和/或暴力攻击(例如,如果最小密码长度应为 8,则不要尝试“pass123”等密码;如果锁定设置为 3,则不检查每个帐户超过 4-6 个密码,以免锁定帐户)。 | |
| T1120 | 外围设备发现 | 攻击者可能会尝试收集有关连接到计算机系统的连接的外围设备和组件的信息。外围设备可能包括支持各种功能的辅助资源,例如键盘、打印机、相机、智能卡读卡器或可移动存储。该信息可用于增强他们对系统和网络环境的意识,或可用于进一步的行动。 | |
| T1069 | 权限组发现 | 攻击者可能会尝试发现组和权限设置。此信息可帮助攻击者确定哪些用户帐户和组可用、特定组中用户的成员身份以及哪些用户和组具有提升的权限。 | |
| .001 | 本地组 | 攻击者可能会尝试查找本地系统组和权限设置。了解本地系统权限组可以帮助攻击者确定存在哪些组以及哪些用户属于特定组。攻击者可以使用此信息来确定哪些用户具有提升的权限,例如在本地管理员组中找到的用户。 | |
| .002 | 域组 | 攻击者可能会尝试查找域级组和权限设置。了解域级权限组可以帮助攻击者确定存在哪些组以及哪些用户属于特定组。攻击者可以使用此信息来确定哪些用户具有提升的权限,例如域管理员。 | |
| .003 | 云组 | 攻击者可能会尝试查找云组和权限设置。了解云权限组可以帮助攻击者确定环境中用户和组的特定角色,以及哪些用户与特定组相关联。 | |
| T1057 | 进程发现 | 攻击者可能会尝试获取有关在系统上运行的进程的信息。获得的信息可用于了解在网络中的系统上运行的常见软件/应用程序。攻击者可能会在自动发现期间使用来自进程发现的信息来塑造后续行为,包括攻击者是否完全感染目标和/或尝试特定操作。 | |
| T1012 | 查询注册表 | 攻击者可能会与 Windows 注册表交互,以收集有关系统、配置和已安装软件的信息。 | |
| T1018 | 远程系统发现 | 攻击者可能会尝试通过网络上可用于从当前系统横向移动的 IP 地址、主机名或其他逻辑标识符获取其他系统的列表。远程访问工具中可能存在启用此功能的功能,但也可以使用操作系统上可用的实用程序,例如 Ping 或使用 Net。net view |
|
| T1518 | 软件发现 | 攻击者可能会尝试获取安装在系统或云环境中的软件和软件版本列表。攻击者可能会在自动发现期间使用软件发现中的信息来塑造后续行为,包括攻击者是否完全感染目标和/或尝试特定操作。 | |
| .001 | 安全软件发现 | 攻击者可能会尝试获取安装在系统或云环境中的安全软件、配置、防御工具和传感器的列表。这可能包括防火墙规则和防病毒等内容。攻击者可能会在自动发现期间使用来自安全软件发现的信息来塑造后续行为,包括攻击者是否完全感染目标和/或尝试特定操作。 | |
| T1082 | 系统信息发现 | 攻击者可能会尝试获取有关操作系统和硬件的详细信息,包括版本、修补程序、修补程序、Service Pack 和体系结构。攻击者可能会在自动发现期间使用系统信息发现中的信息来塑造后续行为,包括攻击者是否完全感染目标和/或尝试特定操作。 | |
| T1614 | 系统位置发现 | 攻击者可能会收集信息以尝试计算受害主机的地理位置。攻击者可能会在自动发现期间使用来自系统位置发现的信息来塑造后续行为,包括攻击者是否完全感染目标和/或尝试特定操作。 | |
| .001 | 系统语言发现 | 攻击者可能会尝试收集有关受害者的系统语言的信息,以推断该主机的地理位置。此信息可用于塑造后续行为,包括攻击者是否感染目标和/或尝试特定操作。恶意软件开发人员和运营商可能会使用此决定来降低引起特定执法机构注意或被其他实体起诉/审查的风险。 | |
| T1016 | 系统网络配置发现 | 攻击者可能会查找有关他们访问的系统的网络配置和设置的详细信息,例如 IP 和/或 MAC 地址,或通过远程系统的信息发现。存在多个操作系统管理实用程序,可用于收集此信息。示例包括 Arp、ipconfig/ifconfig、nbtstat 和 route。 | |
| .001 | 互联网连接发现 | 攻击者可能会检查受感染系统上的互联网连接。这可以在自动发现期间执行,并且可以通过多种方式完成,例如使用 Ping 和 GET 请求到网站。tracert |
|
| T1049 | 系统网络连接发现 | 攻击者可能会尝试通过网络查询信息来获取与当前正在访问的受感染系统或远程系统的网络连接列表。 | |
| T1033 | 系统所有者/用户发现 | 攻击者可能会尝试识别主要用户、当前登录的用户、常用系统的用户集,或者用户是否正在使用系统。例如,他们可以通过检索帐户用户名或使用操作系统凭据转储来执行此操作。可以使用其他发现技术以多种不同的方式收集信息,因为用户和用户名详细信息在整个系统中普遍存在,包括正在运行的进程所有权、文件/目录所有权、会话信息和系统日志。攻击者可能会在自动发现期间使用来自系统所有者/用户发现的信息来塑造后续行为,包括攻击者是否完全感染目标和/或尝试特定操作。 | |
| T1007 | 系统服务发现 | 攻击者可能会尝试收集有关已注册本地系统服务的信息。攻击者可以使用工具以及操作系统实用程序命令(如、、和 )获取有关服务的信息。sc query``tasklist /svc``systemctl --type=service``net start |
|
| T1124 | 系统时间发现 | 攻击者可以从本地或远程系统收集系统时间和/或时区。系统时间由域中的 Windows 时间服务设置和存储,以维护企业网络中的系统和服务之间的时间同步。 | |
| T1497 | 虚拟化/沙盒规避 | 攻击者可能会采用各种方法来检测和避开虚拟化和分析环境。这可能包括根据检查是否存在指示虚拟机环境 (VME) 或沙盒的项目来更改行为。如果攻击者检测到 VME,他们可能会更改其恶意软件以脱离受害者或隐藏植入物的核心功能。他们还可能在丢弃辅助或附加有效负载之前搜索 VME 项目。攻击者可能会使用在自动发现期间从虚拟化/沙盒规避中学到的信息来塑造后续行为。 | |
| .001 | 系统检查 | 攻击者可能会采用各种系统检查来检测和避开虚拟化和分析环境。这可能包括根据检查是否存在指示虚拟机环境 (VME) 或沙盒的项目来更改行为。如果攻击者检测到 VME,他们可能会更改其恶意软件以脱离受害者或隐藏植入物的核心功能。他们还可能在丢弃辅助或附加有效负载之前搜索 VME 项目。攻击者可能会使用在自动发现期间从虚拟化/沙盒规避中学到的信息来塑造后续行为。 | |
| .002 | 基于用户活动的检查 | 攻击者可能会采用各种用户活动检查来检测和避开虚拟化和分析环境。这可能包括根据检查是否存在指示虚拟机环境 (VME) 或沙盒的项目来更改行为。如果攻击者检测到 VME,他们可能会更改其恶意软件以脱离受害者或隐藏植入物的核心功能。他们还可能在丢弃辅助或附加有效负载之前搜索 VME 项目。攻击者可能会使用在自动发现期间从虚拟化/沙盒规避中学到的信息来塑造后续行为。 | |
| .003 | 基于时间的规避 | 攻击者可能会采用各种基于时间的方法来检测和避开虚拟化和分析环境。这可能包括枚举基于时间的属性,例如运行时间或系统时钟,以及使用计时器或其他触发器来避免虚拟机环境 (VME) 或沙盒,特别是那些自动化或仅在有限时间内运行的属性。 |
The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
Techniques: 31
| ID | Name | Description | |
|---|---|---|---|
| T1087 | Account Discovery | Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts). | |
| .001 | Local Account | Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. | |
| .002 | Domain Account | Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. | |
| .003 | Email Account | Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). | |
| .004 | Cloud Account | Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. | |
| T1010 | Application Window Discovery | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used. For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade. | |
| T1217 | Browser Information Discovery | Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. | |
| T1580 | Cloud Infrastructure Discovery | An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. | |
| T1538 | Cloud Service Dashboard | An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports. | |
| T1526 | Cloud Service Discovery | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. | |
| T1619 | Cloud Storage Object Discovery | Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure. | |
| T1613 | Container and Resource Discovery | Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. | |
| T1622 | Debugger Evasion | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads. | |
| T1652 | Device Driver Discovery | Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation). | |
| T1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts. |
|
| T1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T1615 | Group Policy Discovery | Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\. |
|
| T1046 | Network Service Discovery | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. | |
| T1135 | Network Share Discovery | Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. | |
| T1040 | Network Sniffing | Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. | |
| T1201 | Password Policy Discovery | Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). | |
| T1120 | Peripheral Device Discovery | Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. | |
| T1069 | Permission Groups Discovery | Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. | |
| .001 | Local Groups | Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. | |
| .002 | Domain Groups | Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. | |
| .003 | Cloud Groups | Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. | |
| T1057 | Process Discovery | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T1012 | Query Registry | Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. | |
| T1018 | Remote System Discovery | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. |
|
| T1518 | Software Discovery | Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| .001 | Security Software Discovery | Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T1082 | System Information Discovery | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T1614 | System Location Discovery | Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| .001 | System Language Discovery | Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities. | |
| T1016 | System Network Configuration Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. | |
| .001 | Internet Connection Discovery | Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites. |
|
| T1049 | System Network Connections Discovery | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. | |
| T1033 | System Owner/User Discovery | Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T1007 | System Service Discovery | Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start. |
|
| T1124 | System Time Discovery | An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. | |
| T1497 | Virtualization/Sandbox Evasion | Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |
| .001 | System Checks | Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |
| .002 | User Activity Based Checks | Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |
| .003 | Time Based Evasion | Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. |