TA0032 Discovery
The adversary is trying to figure out your environment.
Discovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.
| Item | Value |
|---|---|
| ID | TA0032 |
| Created | 17 October 2018 |
| Last Modified | 27 January 2020 |
Techniques (8)
| ID | Name | Description |
|---|---|---|
| T1420 | File and Directory Discovery | Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. |
| T1430 | Location Tracking | Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. |
| T1430.001 | Remote Device Management Services | An adversary may use access to cloud services (e.g. Google’s Android Device Manager or Apple iCloud’s Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service. |
| T1430.002 | Impersonate SS7 Nodes | Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node. |
| T1423 | Network Service Scanning | Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device’s access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN). |
| T1424 | Process Discovery | Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
| T1418 | Software Discovery | Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. |
| T1418.001 | Security Software Discovery | Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. |
| T1426 | System Information Discovery | Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. |
| T1422 | System Network Configuration Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. |
| T1421 | System Network Connections Discovery | Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. |