Discovery - TA0007

Discovery - TA0007

Objective:

  • Gather information about the system, network, and environment to inform the next steps. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

  • ID: TA0007

Linux Context:

  • Discovery on Linux uses built-in commands to map the landscape. who, w, or cat /etc/passwd lists users, while ps aux, top, or lsof reveals processes and open files. Network details emerge from netstat -tuln, ip a, or ss. Filesystem enumeration lsblk, df -h) identifies mounted drives and uname -a or cat /etc/os-release provides system info. Attackers may run nmap internally or query /proc for kernel details. In cloud environments, they explore container runtime docker ps) or Kubernetes APIs.

Key Techniques:

  • Account Discovery (T1087): Enumerating users and groups.

  • System Information Discovery (T1082): Checking kernel and distro versions.

  • Network Service Discovery (T1046): Scanning internal subnets.

Flow Example:

  • Running cat /etc/passwd | grep "sh$" to find shell users, or nmap -sn 192.168.1.0/24 to map the network.

Defender Strategies:

  • Log command execution with EDR, restrict access to /proc, and monitor network scans with IDS (e.g., Zeek).

The current list of corresponding EDRmetry test definitions includes:

  • EDR-T6065 - /proc/PID enumeration

  • EDR-T6036 - C2 randomized hostname lookups

  • EDR-T6050 - Check ASLR configuration

  • EDR-T6055 - Check bpf settings from /proc

  • EDR-T6265 - Dismap Asset Discovery

  • EDR-T6097 - Download and launch LinEnum

  • EDR-T6084 - Enumerate kernel modules

  • EDR-T6225 - Execute "What Server" Enumeration

  • EDR-T6040 - Execute LinPEAS from /dev/tcp

  • EDR-T6069 - Execute nping

  • EDR-T6259 - Find all suid/sgid files

  • EDR-T6260 - Find all writeable dirs

  • EDR-T6263 - Find SSH keys

  • EDR-T6223 - LKM Get Kernel Text Region Address

  • EDR-T6047 - Kcore Memory File Read

  • EDR-T6218 - Linux VM Check via Hardware

  • EDR-T6217 - Linux VM Check via Kernel Modules

  • EDR-T6124 - Local Network Discovery Scan

  • EDR-T6251 - Process Snooping with pspy

  • EDR-T6338 - Process Snooping with rspy

  • EDR-T6204 - Read local file using curl

  • EDR-T6068 - Sudo Enumeration

  • EDR-T6343 - DNS TXT request

  • EDR-T6276 - List capabilities of binaries

  • EDR-T6341 - Scan SSH services with SSHamble

  • EDR-T6372 - K8S - List RBAC permissions

  • EDR-T6374 - K8S - Enumerate nodes

  • EDR-T6373 - K8S - Enumerate pods

  • EDR-T6372 - K8S - List RBAC permissions

EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog

Buy nowLearn more

1. EDRmetry Overview

2. EDRmetry Deployment

3. Research and emulation of Linux threats