The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
| ID | Name | Description | |
| T2040 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T2041 | Network Service Scanning | Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN). | |
| T2037 | Network Sniffing | Adversaries may gain unauthorized access to vehicle systems by using network sniffing technique. This method allows them to capture information about the vehicle's network, including authentication material passed over the network. Network sniffing involves monitoring or capturing information sent over a wired or wireless connection, providing adversaries with valuable data about the vehicle's network activity. | |
| T2043 | Process Discovery | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T2044 | System Information Discovery | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T2045 | System Network Configuration Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. | |
| T2046 | System Network Connections Discovery | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. | |
| T2047 | UDS Service Discovery | Adversaries may may attempt to enumerate services support by Unified Diagnostic Services (UDS). This technique allows adversaries to scan for and identify the various services and functionalities available within the vehicle's onboard systems. By understanding the specific services and identifiers used in the UDS protocol, adversaries can effectively target and exploit vulnerabilities within the vehicle's network. | |