Discovery Detection Rules
The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
df00tech ships 50 production-ready detection rules mapped to the Discovery tactic (TA0007). Each rule below includes copy-paste queries for Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), QRadar, Sumo Logic, Chronicle and LogScale, with data-source requirements, severity and false-positive guidance — free to use.
Discovery detections (50)
- T1007 System Service Discovery
- T1010 Application Window Discovery
- T1012 Query Registry
- T1016 System Network Configuration Discovery
- T1016.001 Internet Connection Discovery
- T1016.002 Wi-Fi Discovery
- T1018 Remote System Discovery
- T1033 System Owner/User Discovery
- T1040 Network Sniffing
- T1046 Network Service Discovery
- T1049 System Network Connections Discovery
- T1057 Process Discovery
- T1069 Permission Groups Discovery
- T1069.001 Local Groups
- T1069.002 Domain Groups
- T1069.003 Cloud Groups
- T1082 System Information Discovery
- T1083 File and Directory Discovery
- T1087 Account Discovery
- T1087.001 Local Account
- T1087.002 Domain Account
- T1087.003 Email Account
- T1087.004 Cloud Account
- T1120 Peripheral Device Discovery
- T1124 System Time Discovery
- T1135 Network Share Discovery
- T1201 Password Policy Discovery
- T1217 Browser Information Discovery
- T1482 Domain Trust Discovery
- T1497 Virtualization/Sandbox Evasion
- T1497.001 System Checks
- T1497.002 User Activity Based Checks
- T1497.003 Time Based Checks
- T1518 Software Discovery
- T1518.001 Security Software Discovery
- T1518.002 Backup Software Discovery
- T1526 Cloud Service Discovery
- T1538 Cloud Service Dashboard
- T1580 Cloud Infrastructure Discovery
- T1613 Container and Resource Discovery
- T1614 System Location Discovery
- T1614.001 System Language Discovery
- T1615 Group Policy Discovery
- T1619 Cloud Storage Object Discovery
- T1622 Debugger Evasion
- T1652 Device Driver Discovery
- T1654 Log Enumeration
- T1673 Virtual Machine Discovery
- T1680 Local Storage Discovery
- THREAT-Ransomware-StagingIndicators Ransomware Pre-Deployment Staging Indicators