# TA0007 — Discovery ## Descrição A fase de Descoberta representa o **reconhecimento interno** — após comprometer um host, o adversário precisa entender o ambiente onde está operando. O que é essa máquina? A quais redes está conectada? Há outros hosts acessíveis? Qual é a topologia do Active Directory? Existem servidores de arquivos, bancos de dados ou sistemas de backup de valor? Essa fase é tipicamente curta e intensa: em operações de ransomware, operadores executam dezenas de comandos de descoberta em minutos usando ferramentas como BloodHound (mapeamento AD), Nmap (varredura de rede), ADRecon e nltest. A velocidade é crítica — cada segundo de dwell time aumenta o risco de detecção. A descoberta interna é frequentemente realizada com ferramentas **legítimas do sistema operacional** — ipconfig, net, netstat, tasklist, whoami, systeminfo — o que torna a detecção por whitelist de processos ineficaz sem análise de contexto (quando e por quem um comando é executado é tão importante quanto o que é executado). ## Posição no Kill Chain ```mermaid graph TB R["Reconhecimento"]:::inactive --> RD["Desenvolvimento<br/>de Recursos"]:::inactive RD --> IA["Acesso Inicial"]:::inactive IA --> EX["Execução"]:::inactive EX --> PE["Persistência"]:::inactive PE --> PR["Esc. Privilégios"]:::inactive PR --> DE["Evasão de Defesas"]:::inactive DE --> CA["Acesso a<br/>Credenciais"]:::inactive CA --> DI["🔎 Descoberta"]:::active DI --> LM["Mov. Lateral"]:::inactive LM --> CO["Coleta"]:::inactive CO --> C2["Comando e<br/>Controle"]:::inactive C2 --> EXF["Exfiltração"]:::inactive EXF --> IM["Impacto"]:::inactive classDef active fill:#e74c3c,color:#fff,stroke:#c0392b,stroke-width:3px classDef inactive fill:#2c3e50,color:#95a5a6,stroke:#1a252f ``` ## Técnicas desta Tática no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Discovery") SORT mitre-id ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Discovery") SORT mitre-id ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Discovery") SORT mitre-id ASC --> | Nota | ID | Técnica | Plataformas | | ---------------------------------------------------------------------------------------------------------------------------- | --------- | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | [[t1007-system-service-discovery\|T1007 - System Service Discovery]] | T1007 | T1007 - System Service Discovery | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1010-application-window-discovery\|T1010 - Application Window Discovery]] | T1010 | T1010 - Application Window Discovery | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1012-query-registry\|T1012 - Query Registry]] | T1012 | T1012 - Query Registry | <ul><li>Windows</li></ul> | | [[t1016-system-network-configuration-discovery\|T1016 - System Network Configuration Discovery]] | T1016 | T1016 - System Network Configuration Discovery | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1016-001-internet-connection-discovery\|T1016.001 - Internet Connection Discovery]] | T1016.001 | T1016.001 - Internet Connection Discovery | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>ESXi</li></ul> | | [[t1016-002-wi-fi-discovery\|T1016.002 - Wi-Fi Discovery]] | T1016.002 | T1016.002 - Wi-Fi Discovery | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1018-remote-system-discovery\|T1018 - Remote System Discovery]] | T1018 | T1018 - Remote System Discovery | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1033-system-owneruser-discovery\|T1033 - System Owner/User Discovery]] | T1033 | T1033 - System Owner/User Discovery | <ul><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1046-network-service-discovery\|T1046 - Network Service Discovery]] | T1046 | T1046 - Network Service Discovery | <ul><li>Containers</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1049-system-network-connections-discovery\|T1049 - System Network Connections Discovery]] | T1049 | T1049 - System Network Connections Discovery | <ul><li>Windows</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1057-process-discovery\|T1057 - Process Discovery]] | T1057 | T1057 - Process Discovery | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1069-permission-groups-discovery\|T1069 - Permission Groups Discovery]] | T1069 | T1069 - Permission Groups Discovery | <ul><li>Containers</li><li>IaaS</li><li>Identity Provider</li><li>Linux</li><li>macOS</li><li>Office Suite</li><li>SaaS</li><li>Windows</li></ul> | | [[t1069-001-local-groups\|T1069.001 - Local Groups]] | T1069.001 | T1069.001 - Local Groups | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1069-002-domain-groups\|T1069.002 - Domain Groups]] | T1069.002 | T1069.002 - Domain Groups | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1069-003-cloud-groups\|T1069.003 - Cloud Groups]] | T1069.003 | T1069.003 - Cloud Groups | <ul><li>SaaS</li><li>IaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1082-system-information-discovery\|T1082 - System Information Discovery]] | T1082 | T1082 - System Information Discovery | <ul><li>ESXi</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1083-file-and-directory-discovery\|T1083 - File and Directory Discovery]] | T1083 | T1083 - File and Directory Discovery | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1087-account-discovery\|T1087 - Account Discovery]] | T1087 | T1087 - Account Discovery | <ul><li>ESXi</li><li>IaaS</li><li>Identity Provider</li><li>Linux</li><li>macOS</li><li>Office Suite</li><li>SaaS</li><li>Windows</li></ul> | | [[t1087-001-local-account\|T1087.001 - Local Account]] | T1087.001 | T1087.001 - Local Account | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1087-002-domain-account\|T1087.002 - Domain Account]] | T1087.002 | T1087.002 - Domain Account | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1087-003-email-account\|T1087.003 - Email Account]] | T1087.003 | T1087.003 - Email Account | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1087-004-cloud-account\|T1087.004 - Cloud Account]] | T1087.004 | T1087.004 - Cloud Account | <ul><li>IaaS</li><li>Identity Provider</li><li>Office Suite</li><li>SaaS</li></ul> | | [[t1120-peripheral-device-discovery\|T1120 - Peripheral Device Discovery]] | T1120 | T1120 - Peripheral Device Discovery | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1124-system-time-discovery\|T1124 - System Time Discovery]] | T1124 | T1124 - System Time Discovery | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1135-network-share-discovery\|T1135 - Network Share Discovery]] | T1135 | T1135 - Network Share Discovery | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1201-password-policy-discovery\|T1201 - Password Policy Discovery]] | T1201 | T1201 - Password Policy Discovery | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>IaaS</li><li>Network Devices</li><li>Identity Provider</li><li>SaaS</li><li>Office Suite</li></ul> | | [[t1217-browser-information-discovery\|T1217 - Browser Information Discovery]] | T1217 | T1217 - Browser Information Discovery | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1416-active-application-window\|T1416 - Active Application Window]] | T1416 | T1416 - Active Application Window | <ul><li>Android</li></ul> | | [[t1422-system-network-configuration-discovery\|T1422 - System Network Configuration Discovery]] | T1422 | T1422 - System Network Configuration Discovery | <ul><li>Android</li><li>iOS</li></ul> | | [[t1482-domain-trust-discovery\|T1482 - Domain Trust Discovery]] | T1482 | T1482 - Domain Trust Discovery | <ul><li>Windows</li></ul> | | [[t1518-software-discovery\|T1518 - Software Discovery]] | T1518 | T1518 - Software Discovery | <ul><li>ESXi</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1518-001-security-software-discovery\|T1518.001 - Security Software Discovery]] | T1518.001 | T1518.001 - Security Software Discovery | <ul><li>IaaS</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1518-002-backup-software-discovery\|T1518.002 - Backup Software Discovery]] | T1518.002 | T1518.002 - Backup Software Discovery | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1526-cloud-service-discovery\|T1526 - Cloud Service Discovery]] | T1526 | T1526 - Cloud Service Discovery | <ul><li>IaaS</li><li>Identity Provider</li><li>Office Suite</li><li>SaaS</li></ul> | | [[t1538-cloud-service-dashboard\|T1538 - Cloud Service Dashboard]] | T1538 | T1538 - Cloud Service Dashboard | <ul><li>IaaS</li><li>SaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1580-cloud-infrastructure-discovery\|T1580 - Cloud Infrastructure Discovery]] | T1580 | T1580 - Cloud Infrastructure Discovery | <ul><li>IaaS</li></ul> | | [[t1613-container-and-resource-discovery\|T1613 - Container and Resource Discovery]] | T1613 | T1613 - Container and Resource Discovery | <ul><li>Containers</li></ul> | | [[t1614-system-location-discovery\|T1614 - System Location Discovery]] | T1614 | T1614 - System Location Discovery | <ul><li>IaaS</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1614-001-system-language-discovery\|T1614.001 - System Language Discovery]] | T1614.001 | T1614.001 - System Language Discovery | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1615-group-policy-discovery\|T1615 - Group Policy Discovery]] | T1615 | T1615 - Group Policy Discovery | <ul><li>Windows</li></ul> | | [[t1619-cloud-storage-object-discovery\|T1619 - Cloud Storage Object Discovery]] | T1619 | T1619 - Cloud Storage Object Discovery | <ul><li>IaaS</li></ul> | | [[t1652-device-driver-discovery\|T1652 - Device Driver Discovery]] | T1652 | T1652 - Device Driver Discovery | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1654-log-enumeration\|T1654 - Log Enumeration]] | T1654 | T1654 - Log Enumeration | <ul><li>ESXi</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1673-virtual-machine-discovery\|T1673 - Virtual Machine Discovery]] | T1673 | T1673 - Virtual Machine Discovery | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1680-local-storage-discovery\|T1680 - Local Storage Discovery]] | T1680 | T1680 - Local Storage Discovery | <ul><li>ESXi</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | <!-- SerializedQuery END --> ## Mindmap — Técnicas de Descoberta ```mermaid mindmap root((TA0007<br/>Discovery)) Sistema e Host T1082 System Information Discovery T1016 System Network Configuration T1057 Process Discovery T1007 System Service Discovery T1217 Browser Information Discovery Rede T1018 Remote System Discovery T1135 Network Share Discovery T1046 Network Service Discovery T1049 System Network Connections T1040 Network Sniffing Active Directory T1069 Permission Groups Discovery T1087 Account Discovery BloodHound / SharpHound ADRecon nltest /dclist Arquivos e Dados T1083 File and Directory Discovery T1120 Peripheral Device Discovery T1613 Container Discovery Credenciais e Contas T1087 Account Discovery T1069 Permission Groups T1010 Application Window Discovery ``` ## Atores que Utilizam esta Tática | Ator | Ferramenta/Abordagem de Descoberta | |------|------------------------------------| | [[lockbit\|LockBit Operators]] | BloodHound + SharpHound, Nmap, ADRecon pós-acesso | | [[TA505]] | Enumeração de rede, identificação de servidores de arquivo | | [[g1017-volt-typhoon\|Volt Typhoon]] | Apenas LOLBins — ipconfig, netstat, net, nltest | | [[Cozy Bear]] | LDAP queries, BloodHound, enumeração silenciosa | | [[g0034-sandworm\|Sandworm]] | Mapeamento de redes industriais, OT/ICS discovery | ## Detecção e Mitigação ### Detecção - **Behavioral Analytics:** Muitos comandos de descoberta em curto período por uma única conta/host - **SIEM:** Alertas para execução de nltest, net group, ipconfig /all em horários incomuns - **Honeypot Shares:** Compartilhamentos de rede isca — qualquer acesso é alert imediato - **BloodHound Detection:** Detecção de queries LDAP em volume anômalo (SharpHound coleta) - **EDR:** Process execution tree — cmd.exe filho de Office ou PS child de serviço web ### Mitigação - **Segmentação de rede:** Limitar quais hosts podem "ver" outros (zero-trust network) - **LDAP Signing & Channel Binding:** Dificultar queries LDAP anônimas em AD - **Tiering de AD:** Separar Tier 0 (DCs), Tier 1 (servidores) e Tier 2 (estações) - **Restringir visibilidade de rede:** Firewall host-based em todas as estações ## Relevância LATAM/Brasil Grupos de ransomware operando no Brasil — incluindo afiliados de [[lockbit|LockBit]], [[play-ransomware|Play]] e [[rhysida|Rhysida]] — executam discovery agressivo assim que obtêm acesso. O foco é rápido: identificar servidores de backup (para destruí-los com [[t1490-inhibit-system-recovery|T1490]]) e servidores de arquivo com dados sensíveis (para exfiltração dupla). Organizações do [[government|setor governamental]] brasileiro frequentemente têm Active Directory com configurações permissivas — qualquer usuário de domínio pode enumerar toda a estrutura, facilitando imensamente o trabalho do adversário. - [[ta0006-credential-access|TA0006 - Credential Access]] — fase anterior - [[ta0008-lateral-movement|TA0008 - Lateral Movement]] — fase seguinte - [[t1018-remote-system-discovery|T1018 - Remote System Discovery]] — descoberta de hosts remotos - [[t1082-system-information-discovery|T1082 - System Information Discovery]] — info do sistema comprometido - [[t1135-network-share-discovery|T1135 - Network Share Discovery]] — identificação de shares de rede - [[t1490-inhibit-system-recovery|T1490 - Inhibit System Recovery]] — destruição de backups pós-descoberta - [[lockbit|LockBit Operators]] — uso intensivo de discovery pré-ransomware - [[_techniques|Índice de Técnicas]] — visão geral de todas as técnicas documentadas ## Referências - [[ta0007-*|MITRE ATT&CK - TA0007 Discovery]] - [BloodHound — Active Directory Attack Paths](https://github.com/BloodHoundAD/BloodHound)