Continue your mission
How attackers systematically map an environment after gaining initial access, covering key MITRE ATT&CK TA0007 techniques, Active Directory enumeration tools, cloud discovery methods, and detection strategies.
# Discovery Techniques (MITRE ATT&CK TA0007)
Discovery is what happens after an attacker gets in. In MITRE ATT&CK, Tactic TA0007 covers the techniques adversaries use to gain knowledge about the systems, networks, accounts, and data they have accessed. Discovery is not the final objective. It is the intelligence-gathering phase that makes every subsequent phase possible.
When an attacker lands on a compromised host, they face a fundamental orientation problem: they know they are inside, but they do not yet know what they have access to, what else is reachable, where the high-value targets are located, or how to get from their current foothold to those targets. Discovery solves that problem. Without it, lateral movement is blind, credential theft is undirected, and data collection is incomplete.
MITRE ATT&CK TA0007 catalogues over thirty distinct discovery sub-techniques. They fall into recognizable categories: system and host information gathering, network and infrastructure mapping, account and permission enumeration, and cloud resource discovery. Each category answers a specific question the attacker needs answered before proceeding.
Within the Planetary Defense Model (PDM), discovery activity is a TID (Threat Intelligence and Defense) detection problem governed by Predictive Defense Intelligence (PDI). The core insight of PDI is that discovery behaviors leave detectable signals before the attacker reaches their objective. Detecting discovery early, before lateral movement begins, is one of the highest-leverage interventions available to a security operations team.
The first thing most attackers do after landing on a host is gather basic orientation data. System Information Discovery (T1082) collects OS version, architecture, hardware configuration, domain membership, hostname, and patch level. This information tells the attacker what kind of environment they are in, whether the host is joined to an Active Directory domain, and what vulnerabilities may be exploitable for privilege escalation.
File and Directory Discovery (T1083) follows: the attacker enumerates the file system looking for sensitive files, data stores, configuration files with embedded credentials, and documents of interest. On Windows, common targets include the Desktop, Documents, and Downloads folders of current and other user profiles, database configuration files, application configuration files containing API keys or database passwords, and corporate document repositories.
Once the attacker understands the host they control, they want to understand the network it connects to. Remote System Discovery (T1018) involves scanning or enumerating the network to identify other reachable hosts. This can use Active Directory queries (querying domain controllers for all computer objects), network scanning tools, or simply pinging subnets to identify live hosts.
Network Service Discovery (T1046) is internal port scanning: using the compromised host as a pivot point to scan other hosts on the network for open services. From inside the network perimeter, the attacker can reach services that are not exposed to the internet, including administrative interfaces, database ports, internal web applications, and lateral movement vectors like SMB (port 445) and RDP (port 3389).
Network Share Discovery (T1135) targets mapped drives and accessible file shares. In Windows environments, file shares are common data repositories. Enumerating available shares reveals where documents, data, and potentially sensitive information is stored and whether those locations are accessible from the current account context.
System Network Configuration Discovery (T1016) collects IP addresses, routing tables, DNS configuration, and network adapter information. This gives the attacker a map of the network subnets the host can reach, which DNS servers are in use, and whether the host has multiple network interfaces that might provide access to additional network segments.
Knowing what accounts exist and what permissions they hold is critical intelligence for lateral movement and privilege escalation planning. Account Discovery (T1087) covers both local and domain account enumeration: querying local SAM databases for local accounts, querying Active Directory for domain accounts, identifying service accounts, and finding accounts with administrative privileges.
Permission Groups Discovery (T1069) takes account enumeration further by mapping group memberships and permissions. In Active Directory environments, this means enumerating security groups, identifying which groups have administrative privileges, and finding which users are members of high-value groups like Domain Admins, Enterprise Admins, and Backup Operators.
Active Directory environments provide particularly rich discovery opportunities because AD is a directory service: it is designed to answer queries about users, computers, groups, and permissions. The same query capabilities that make AD useful for IT operations make it useful for attackers who have obtained any valid domain credential.
BloodHound, combined with its data collection agent SharpHound, is the most well-known Active Directory reconnaissance tool. BloodHound collects data from Active Directory using LDAP queries and SMB sessions, then builds a graph database of all AD objects and their relationships. The BloodHound interface allows attackers to query that graph for shortest attack paths to Domain Admin from any starting account. What would take a skilled attacker hours of manual enumeration, BloodHound reduces to seconds.
PowerView is a PowerShell-based Active Directory reconnaissance toolkit, part of the PowerSploit framework. It provides functions for querying AD objects, identifying trust relationships, finding computers where specific users are logged in, and enumerating group memberships. PowerView operates using standard LDAP queries, making it difficult to distinguish from legitimate administrative PowerShell activity.
ldapsearch, available on Linux and macOS systems, allows direct LDAP queries against domain controllers. Attackers operating from non-Windows hosts use ldapsearch to enumerate AD objects using the same LDAP protocol that Windows management tools use.
Cloud environments extend the discovery problem because cloud infrastructure includes resources beyond traditional network hosts: virtual machines, object storage buckets, serverless functions, managed databases, identity and access management roles, and network configuration objects.
Cloud Infrastructure Discovery (T1580) covers enumeration of cloud resources: listing EC2 instances in AWS, enumerating virtual machines in Azure, querying GCP compute resources. Attackers with compromised cloud credentials use the cloud provider's CLI or API to enumerate every resource type visible to those credentials. Because cloud IAM roles often carry overly broad permissions, a single compromised cloud account may provide visibility into large portions of cloud infrastructure.
Cloud Service Dashboard (T1538) is simpler: an attacker with stolen cloud console credentials simply logs into the cloud provider's web interface and browses the management console. This technique requires no specialized tools and is difficult to distinguish from a legitimate user session unless behavioral analytics are in place.
Discovery does not cause immediate damage. No data is exfiltrated during T1082 or T1018. No systems are encrypted during BloodHound enumeration. This is precisely why discovery is frequently overlooked in detection strategies: it appears benign compared to the techniques that follow. That is a critical analytical error.
Every lateral movement decision, every privilege escalation attempt, every data collection target is informed by discovery. An attacker who completes thorough discovery before moving laterally is significantly more effective than one operating blind. They know which hosts to target, which accounts to compromise, which shares contain data worth collecting, and the shortest path to their objective.
More importantly: discovery precedes the damaging phases. Detecting discovery behaviors is detecting an attacker before they have caused the damage that triggers incident response. Organizations that build detection around discovery signals gain materially more response time than organizations that only detect at later kill chain stages.
Active Directory is the nervous system of most enterprise Windows environments. It stores the authentication database, enforces group policy, controls access to resources, and maintains the trust model for the entire domain. It is also, by design, queryable by any authenticated domain user.
The BloodHound attack path problem illustrates this clearly. In a default Active Directory deployment, an attacker who compromises any domain user account can query AD to identify paths to Domain Admin. BloodHound automates this path-finding. The attacker does not need to know anything about the environment in advance. They land on a workstation, run SharpHound, load the results into BloodHound, and find the shortest path to complete domain compromise.
This problem is not a bug in BloodHound. It is a consequence of how Active Directory is architected. Most organizations have never mapped their own attack paths. BloodHound was built precisely because defenders needed to find these paths before attackers did. The tool is used both offensively and defensively.
Cloud environments often have a discovery problem that is structurally worse than on-premises Active Directory. IAM roles with excessive permissions are common. Service accounts with admin or owner bindings are frequently present because they were convenient during development. A single compromised cloud credential can expose the entire cloud estate to discovery.
The attacker does not need to compromise many accounts. They need to compromise one account with sufficient permissions to enumerate the environment, and then use that intelligence to reach the accounts or resources with real value.
SharpHound (the BloodHound data collector) generates a recognizable pattern of LDAP queries when executed. It issues large volumes of LDAP queries against domain controllers, specifically requesting properties that include group memberships, user SIDs, computer SIDs, ACL data, and session information. The LDAP queries include specific property sets that are rarely requested together in normal administrative operations.
Detection of SharpHound activity involves monitoring domain controller event logs for high-volume LDAP query activity from unexpected source accounts (workstation user accounts, recently created accounts, accounts that do not normally perform AD administration). Specific event IDs relevant to LDAP query monitoring include Windows Security Event 4662 (An operation was performed on an object) for ACL enumeration and Event 5136 for directory service modifications.
Beyond event log monitoring, network traffic analysis can identify SharpHound's SMB-based session enumeration: SharpHound connects to the IPC$ share on domain-joined computers to enumerate logged-on sessions. This generates SMB connection activity to many hosts in rapid succession from a single source, a pattern that is anomalous for workstation user accounts.
Network Service Discovery (T1046) from inside the network is anomalous because workstations do not normally conduct port scans. Detection approaches include network flow monitoring to identify hosts generating connection attempts to many different destination ports or many different destination hosts within a short time window, and host-based network activity monitoring to flag unusual outbound connection patterns.
The source account matters significantly. A workstation user account connecting to port 445 (SMB) or 3389 (RDP) on one hundred different hosts in five minutes is a strong indicator of internal reconnaissance. A domain administrator account doing the same thing is more ambiguous and requires additional context.
AWS CloudTrail, Azure Activity Logs, and GCP Cloud Audit Logs capture API calls including enumeration calls. Indicators of cloud discovery include: high volumes of Describe or List API calls (AWS), calls from new or infrequently used IAM credentials, API calls from unexpected geographic locations or IP addresses, and enumeration calls that span many resource types in a short time window (suggesting systematic discovery rather than targeted administrative operations).
Predictive Defense Intelligence (PDI) is built on a fundamental operational principle: "See the threat before it sees you." For discovery behaviors, this means building detection rules that fire during the intelligence-gathering phase of an attack, before lateral movement, credential theft, or data collection begins.
CDA's TID domain implements PDI detection rules specifically targeting discovery tactic behaviors. These rules treat discovery signals as high-priority early warning indicators rather than low-priority informational alerts. The operational logic is straightforward: an attacker conducting BloodHound enumeration is not yet the threat that destroys data. They become that threat only after they use the BloodHound output to plan their next moves. The window between discovery and the damaging phase is the best available opportunity for containment.
Mission TID-H01 (threat detection engineering) includes detection engineering work specifically for TA0007 behaviors. Detection coverage is evaluated against the full TA0007 technique list, with priority given to techniques that appear in confirmed attack chains (BloodHound/SharpHound LDAP enumeration, internal port scanning from workstations, and cloud enumeration API call volumes).
Active Directory gives defenders the same graph that BloodHound gives attackers. CDA's approach to Active Directory security includes using BloodHound offensively (red team operations in VSD-R01) to identify attack paths in client environments before attackers do, then using those findings to drive IAT-B01 (identity hardening) work that breaks the attack paths. Tiered AD administration models, Protected Users security group usage, and Group Policy Object hardening all reduce the attack path density that BloodHound reveals.
The defensive answer to T1069 (Permission Groups Discovery) is not to prevent the query. It is to ensure that the answer to the query does not reveal viable attack paths. If no path from a standard user account to Domain Admin exists in fewer than five hops, BloodHound cannot give the attacker an easy route to follow.
MITRE ATT&CK. "Discovery (TA0007)." MITRE Corporation, 2024. https://attack.mitre.org/tactics/TA0007/
Specterops. "BloodHound: Six Degrees of Domain Admin." SpecterOps, 2024. https://github.com/BloodHoundAD/BloodHound
Mandiant. "M-Trends 2024 Special Report." Google Cloud, 2024. https://www.mandiant.com/m-trends
Microsoft. "Detecting Active Directory Enumeration Attacks." Microsoft Security Blog, 2023. https://www.microsoft.com/en-us/security/blog/
CISA. "Best Practices for Active Directory Security." Cybersecurity and Infrastructure Security Agency, 2024. https://www.cisa.gov/resources-tools/resources/active-directory-security
Amazon Web Services. "Logging and Monitoring in AWS CloudTrail." AWS Documentation, 2024. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/
CDA, LLC. "Predictive Defense Intelligence (PDI) Methodology Reference." CDA Canon, 2026.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.