MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Mapping To Discovery

For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.

Details
ATT&CK ID: TA0007

ATT&CK Technique Opportunity Space AD Technique Use Case
T1007 - System Service Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1007 - System Service Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could manipulate the command to display services an adversary would expect to see on a system, or to shown them unexpected services.
T1010 - Application Window Discovery There is an opportunity to provide a variety of applications to an adversary so they see a full set of information when performing discovery tasks. DTE0004 - Application Diversity During an adversary engagement operation, a defender can open and use any particular subset of applications installed on a system to control what is presented to the adversary at any point in time.
T1012 - Query Registry There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0011 - Decoy Content A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing.
T1016 - System Network Configuration Discovery There is an opportunity to influence an adversary to move toward systems you want them to engage with. DTE0011 - Decoy Content A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.
T1018 - Remote System Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with.
T1018 - Remote System Discovery In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process. DTE0011 - Decoy Content A defender can create entries in a decoy system's ARP cache, hosts file, etc. to add to the legitimacy of the device.
T1033 - System Owner/User Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system.
T1040 - Network Sniffing There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all.
T1040 - Network Sniffing There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. DTE0016 - Decoy Process The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks.
T1040 - Network Sniffing There is an opportunity to entice the adversary to expose additional TTPs. DTE0025 - Network Diversity The defender can add unique endpoints, servers, routers, and other devices to give the adversary a broader attack surface. This can cause the adversary to expose additional capabilities.
T1046 - Network Service Scanning There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with.
T1046 - Network Service Scanning There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.
T1049 - System Network Connections Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems.
T1057 - Process Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.
T1057 - Process Discovery There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. DTE0016 - Decoy Process A defender can run decoy processes on a system to entice an adversary.
T1069 - Permission Groups Discovery In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system. DTE0036 - Software Manipulation A defender could manipulate a system's software to alter the results of an adversary enumerating permission group information.
T1082 - System Information Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
T1083 - File and Directory Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can utilize decoy files and directories to provide content that could be used by the adversary.
T1087 - Account Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist.
T1087 - Account Discovery In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process. DTE0010 - Decoy Account During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity.
T1087 - Account Discovery There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in. DTE0013 - Decoy Diversity A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc.
T1120 - Peripheral Device Discovery There is an opportunity to gauge an adversary's interest in connected peripheral devices. DTE0029 - Peripheral Management A defender can connect one or more peripheral devices to a decoy system to see if an adversary has any interest in them.
T1120 - Peripheral Device Discovery There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0029 - Peripheral Management A defender can plug in a USB drive and see how quickly the adversary notices and inspects it.
T1124 - System Time Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation If the defender knows the specific regions an adversary is targeting, they can alter the output of commands which return systems times to return data consistent with what an adversary would want to see.
T1135 - Network Share Discovery In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity. DTE0011 - Decoy Content A defender can utilize decoy network shares to provide content that could be used by the adversary.
T1135 - Network Share Discovery There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use. DTE0013 - Decoy Diversity A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc.
T1201 - Password Policy Discovery In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system. DTE0036 - Software Manipulation A defender can alter the output of the password policy description so the adversary is unsure of exactly what the requirements are.
T1217 - Browser Bookmark Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement.
T1482 - Domain Trust Discovery There is an opportunity to extend an adversary's engagement period by creating a decoy network that systems can discover when performing trust discovery. DTE0014 - Decoy Network A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary.
T1482 - Domain Trust Discovery In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. DTE0012 - Decoy Credentials A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.
T1497 - Virtualization/Sandbox Evasion There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization. DTE0017 - Decoy System A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts.
T1497 - Virtualization/Sandbox Evasion There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts. DTE0011 - Decoy Content A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not.
T1518 - Software Discovery There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. DTE0004 - Application Diversity A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques.
T1526 - Cloud Service Discovery There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. DTE0014 - Decoy Network A defender can use a decoy network and seed it with cloud services to see how an adversary might exploit those resources.
T1538 - Cloud Service Dashboard In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. DTE0012 - Decoy Credentials A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.
T1580 - Cloud Infrastructure Discovery There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. DTE0017 - Decoy System A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity.
T1580 - Cloud Infrastructure Discovery There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures. DTE0033 - Standard Operating Procedure A defender can define operating procedures for interacting with cloud services and alert when they are not followed.