# Recon Tools > Ferramentas de reconhecimento e enumeracao usadas na fase de descoberta pos-comprometimento - mapeamento de Active Directory, enumeracao de usuarios/grupos, coleta de informações de rede e descoberta de hosts. Corresponde principalmente ao MITRE ATT&CK Tactic **Discovery (TA0007)**. ```mermaid graph TB subgraph ALVOS["🎯 Alvos de Reconhecimento"] AD["Active Directory<br/>Dominio, usuarios, grupos"] NET["Rede<br/>Hosts, servicos, rotas"] CLOUD["Cloud / Azure AD<br/>Identidades, permissoes"] SYS["Sistema Local<br/>Processos, tarefas, config"] end subgraph TOOLS["🔍 Ferramentas"] BH["BloodHound / SharpHound<br/>Grafos de AD, paths de escalada"] AF["AdFind / dsquery<br/>LDAP queries no AD"] AAD["AADInternals / ROADTools<br/>Azure AD recon"] NET2["nbtscan / nltest<br/>Enumeracao de rede Windows"] SYS2["systeminfo / tasklist<br/>Informacoes do sistema"] MAIL["MailSniper / Ruler<br/>Exchange enumeration"] end ALVOS --> TOOLS style ALVOS fill:#1a1a2e,color:#fff style TOOLS fill:#16213e,color:#fff style BH fill:#3498db,color:#fff style AF fill:#2980b9,color:#fff style AAD fill:#1a6fa8,color:#fff style NET2 fill:#1a5276,color:#fff style SYS2 fill:#154360,color:#fff style MAIL fill:#0d3349,color:#fff ``` > [!info] Reconhecimento Interno vs. Externo > Esta categoria cobre reconhecimento **pos-comprometimento** (Discovery - TA0007). Reconhecimento externo antes do ataque e coberto pela tática Reconnaissance (TA0043) - ver **[[_techniques|Hub de Técnicas TTP]]**. ## TTPs Associados - **[[t1018-remote-system-discovery|T1018]]** - Remote System Discovery - **[[t1087-account-discovery|T1087]]** - Account Discovery - **[[t1069-permission-groups-discovery|T1069]]** - Permission Groups Discovery - **[[t1482-domain-trust-discovery|T1482]]** - Domain Trust Discovery - **[[t1538-cloud-service-dashboard|T1538]]** - Cloud Service Dashboard Mitigacoes relevantes: - **[[_mitigations|Hub de Mitigacoes]]** - controles M-series aplicaveis - **[[_detections|Hub de Deteccoes]]** - analytics para detecção de AD recon ## Catalogo %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Ferramenta", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools/recon-tools" WHERE type = "malware" OR type = "tool" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Ferramenta", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools/recon-tools" WHERE type = "malware" OR type = "tool" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Ferramenta", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools/recon-tools" WHERE type = "malware" OR type = "tool" SORT title ASC --> | Ferramenta | Aliases | Status | | ---------------------------------------------------------------------------- | --------------------------------------------- | ------ | | [[s0677-aadinternals\|AADInternals]] | <ul><li>AADInternals</li></ul> | active | | [[s0552-adfind\|AdFind]] | <ul><li>AdFind</li></ul> | active | | [[s0099-arp\|Arp]] | <ul><li>Arp</li><li>arp.exe</li></ul> | active | | [[s0521-bloodhound\|BloodHound]] | <ul><li>BloodHound</li></ul> | active | | [[s0105-dsquery\|dsquery]] | <ul><li>dsquery</li><li>dsquery.exe</li></ul> | active | | [[s0101-ifconfig\|ifconfig]] | <ul><li>ifconfig</li></ul> | active | | [[s0100-ipconfig\|ipconfig]] | <ul><li>ipconfig</li></ul> | active | | [[s0413-mailsniper\|MailSniper]] | <ul><li>MailSniper</li></ul> | active | | [[s0590-nbtscan\|NBTscan]] | <ul><li>NBTscan</li></ul> | active | | [[s0102-nbtstat\|nbtstat]] | <ul><li>nbtstat</li></ul> | active | | [[s0039-net\|Net]] | <ul><li>Net</li><li>net.exe</li></ul> | active | | [[s0104-netstat\|netstat]] | <ul><li>netstat</li></ul> | active | | [[s0359-nltest\|Nltest]] | <ul><li>Nltest</li></ul> | active | | [[s1091-pacu\|Pacu]] | <ul><li>Pacu</li></ul> | active | | [[s0683-peirates\|Peirates]] | <ul><li>Peirates</li></ul> | active | | [[s0097-ping\|Ping]] | <ul><li>Ping</li></ul> | active | | [[s0684-roadtools\|ROADTools]] | <ul><li>ROADTools</li></ul> | active | | [[s0103-route\|route]] | <ul><li>route</li></ul> | active | | [[s0358-ruler\|Ruler]] | <ul><li>Ruler</li></ul> | active | | [[s0445-shimratreporter\|ShimRatReporter]] | <ul><li>ShimRatReporter</li></ul> | active | | [[s0227-spwebmember\|spwebmember]] | <ul><li>spwebmember</li></ul> | active | | [[s0096-systeminfo\|Systeminfo]] | <ul><li>Systeminfo</li></ul> | active | | [[s0057-tasklist\|Tasklist]] | <ul><li>Tasklist</li></ul> | active | <!-- SerializedQuery END --> ## Navegacao - [[_tools|Tools Hub]] - visao geral de todas as ferramentas - [[_software|Software Hub]] - malware + tools - [[_cti|CTI Hub]] - hub central de inteligência