# Descoberta ```mermaid graph TB A["🔍 Pos-Comprometimento<br/>Acesso Inicial Obtido"] --> B["💻 Sistema e Rede<br/>T1082 / T1016 / T1018"] A --> C["👤 Contas e Grupos<br/>T1087 / T1069"] A --> D["🔐 Politicas e Privilegios<br/>T1201 / T1615"] A --> E["☁️ Infraestrutura Cloud<br/>T1580 / T1526"] B --> F["🗺️ Mapa do Ambiente<br/>Preparacao para Movimentacao"] C --> F D --> F E --> F ``` > [!info] Visão Geral > A tática de Descoberta (TA0007) cobre as técnicas usadas para mapear o ambiente comprometido antes de avancar para a movimentação lateral ou exfiltração. O atacante precisa entender a topologia da rede, as contas existentes, os privilegios disponiveis e os controles de segurança ativos para planejar os proximos passos. > **Técnicas:** 43 técnicas abrangendo enumeracao de sistemas, redes, contas, servicos, politicas e infraestrutura cloud. > **Destaque LATAM:** Enumeracao de dominios Active Directory e mapeamento de compartilhamentos de rede sao etapas criticas em ataques de ransomware contra empresas brasileiras. > [!warning] Contexto Brasil/LATAM > Em ataques de ransomware contra empresas brasileiras dos setores de saúde, financeiro e manufatura, grupos como **LockBit** e **RansomHub** utilizam ferramentas de **System Network Configuration Discovery (T1016)** e **Remote System Discovery (T1018)** para mapear toda a rede antes de iniciar a criptografia. O **Domain Trust Discovery (T1482)** e comum em ambientes com Active Directory mal configurado, situação recorrente em grandes corporacoes do Brasil. A etapa de Descoberta tipicamente dura horas a dias antes que o ataque real seja executado. > **43 técnicas** · Mapeamento do ambiente e rede interna - enumeração de sistemas, serviços, permissões. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome" FROM "ttp/techniques/discovery" WHERE type = "technique" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/discovery" WHERE type = "technique" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/discovery" WHERE type = "technique" SORT title ASC --> | Nota | Nome | | ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | | [[t1007-system-service-discovery\|T1007 - System Service Discovery]] | T1007 - System Service Discovery | | [[t1010-application-window-discovery\|T1010 - Application Window Discovery]] | T1010 - Application Window Discovery | | [[t1012-query-registry\|T1012 - Query Registry]] | T1012 - Query Registry | | [[t1016-system-network-configuration-discovery\|T1016 - System Network Configuration Discovery]] | T1016 - System Network Configuration Discovery | | [[t1016-001-internet-connection-discovery\|T1016.001 - Internet Connection Discovery]] | T1016.001 - Internet Connection Discovery | | [[t1016-002-wi-fi-discovery\|T1016.002 - Wi-Fi Discovery]] | T1016.002 - Wi-Fi Discovery | | [[t1018-remote-system-discovery\|T1018 - Remote System Discovery]] | T1018 - Remote System Discovery | | [[t1033-system-owneruser-discovery\|T1033 - System Owner/User Discovery]] | T1033 - System Owner/User Discovery | | [[t1046-network-service-discovery\|T1046 - Network Service Discovery]] | T1046 - Network Service Discovery | | [[t1049-system-network-connections-discovery\|T1049 - System Network Connections Discovery]] | T1049 - System Network Connections Discovery | | [[t1057-process-discovery\|T1057 - Process Discovery]] | T1057 - Process Discovery | | [[t1069-permission-groups-discovery\|T1069 - Permission Groups Discovery]] | T1069 - Permission Groups Discovery | | [[t1069-001-local-groups\|T1069.001 - Local Groups]] | T1069.001 - Local Groups | | [[t1069-002-domain-groups\|T1069.002 - Domain Groups]] | T1069.002 - Domain Groups | | [[t1069-003-cloud-groups\|T1069.003 - Cloud Groups]] | T1069.003 - Cloud Groups | | [[t1082-system-information-discovery\|T1082 - System Information Discovery]] | T1082 - System Information Discovery | | [[t1083-file-and-directory-discovery\|T1083 - File and Directory Discovery]] | T1083 - File and Directory Discovery | | [[t1087-account-discovery\|T1087 - Account Discovery]] | T1087 - Account Discovery | | [[t1087-001-local-account\|T1087.001 - Local Account]] | T1087.001 - Local Account | | [[t1087-002-domain-account\|T1087.002 - Domain Account]] | T1087.002 - Domain Account | | [[t1087-003-email-account\|T1087.003 - Email Account]] | T1087.003 - Email Account | | [[t1087-004-cloud-account\|T1087.004 - Cloud Account]] | T1087.004 - Cloud Account | | [[t1120-peripheral-device-discovery\|T1120 - Peripheral Device Discovery]] | T1120 - Peripheral Device Discovery | | [[t1124-system-time-discovery\|T1124 - System Time Discovery]] | T1124 - System Time Discovery | | [[t1135-network-share-discovery\|T1135 - Network Share Discovery]] | T1135 - Network Share Discovery | | [[t1201-password-policy-discovery\|T1201 - Password Policy Discovery]] | T1201 - Password Policy Discovery | | [[t1217-browser-information-discovery\|T1217 - Browser Information Discovery]] | T1217 - Browser Information Discovery | | [[t1416-active-application-window\|T1416 - Active Application Window]] | T1416 - Active Application Window | | [[t1422-system-network-configuration-discovery\|T1422 - System Network Configuration Discovery]] | T1422 - System Network Configuration Discovery | | [[t1482-domain-trust-discovery\|T1482 - Domain Trust Discovery]] | T1482 - Domain Trust Discovery | | [[t1518-software-discovery\|T1518 - Software Discovery]] | T1518 - Software Discovery | | [[t1518-001-security-software-discovery\|T1518.001 - Security Software Discovery]] | T1518.001 - Security Software Discovery | | [[t1518-002-backup-software-discovery\|T1518.002 - Backup Software Discovery]] | T1518.002 - Backup Software Discovery | | [[t1526-cloud-service-discovery\|T1526 - Cloud Service Discovery]] | T1526 - Cloud Service Discovery | | [[t1538-cloud-service-dashboard\|T1538 - Cloud Service Dashboard]] | T1538 - Cloud Service Dashboard | | [[t1580-cloud-infrastructure-discovery\|T1580 - Cloud Infrastructure Discovery]] | T1580 - Cloud Infrastructure Discovery | | [[t1613-container-and-resource-discovery\|T1613 - Container and Resource Discovery]] | T1613 - Container and Resource Discovery | | [[t1614-system-location-discovery\|T1614 - System Location Discovery]] | T1614 - System Location Discovery | | [[t1614-001-system-language-discovery\|T1614.001 - System Language Discovery]] | T1614.001 - System Language Discovery | | [[t1615-group-policy-discovery\|T1615 - Group Policy Discovery]] | T1615 - Group Policy Discovery | | [[t1619-cloud-storage-object-discovery\|T1619 - Cloud Storage Object Discovery]] | T1619 - Cloud Storage Object Discovery | | [[t1652-device-driver-discovery\|T1652 - Device Driver Discovery]] | T1652 - Device Driver Discovery | | [[t1654-log-enumeration\|T1654 - Log Enumeration]] | T1654 - Log Enumeration | | [[t1673-virtual-machine-discovery\|T1673 - Virtual Machine Discovery]] | T1673 - Virtual Machine Discovery | | [[t1680-local-storage-discovery\|T1680 - Local Storage Discovery]] | T1680 - Local Storage Discovery | <!-- SerializedQuery END --> --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]]