Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0032: Discovery

The adversary is trying to figure out your environment.

Discovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.

MobileTA0032TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Discovery in the mobile ATT&CK domain is the post-compromise orientation phase: an adversary with access to a mobile device tries to understand the device, its environment, and potentially connected systems. For leaders, this matters because discovery often determines what the adversary can do next, what data or systems may be reachable, and how quickly incident responders can scope exposure.

Executive priority

Treat mobile discovery as an incident scoping and resilience issue, not just a technical behavior. Security leaders should ask whether the organization can identify unusual information-gathering activity on managed mobile devices, whether mobile telemetry is available to the SOC and incident response teams, and whether audit evidence exists to show what device, network, and access controls are in place. Because the ATT&CK object provides no specific techniques, platforms, or detections, prioritization should be based on local mobile risk: sensitive business use, privileged identities on mobile devices, regulated data access, and dependency on mobile workflows for operations.

Technical view

For SOC, detection engineering, and IR teams, the key validation question is whether mobile device activity can be reconstructed well enough to determine what an adversary learned after gaining access. The official object identifies discovery as gaining knowledge about characteristics of a mobile device and potentially other networked systems, but it does not provide detection logic or platform-specific guidance. Teams should therefore validate mobile management, device security, identity, application, and network logs for visibility into unusual enumeration-like activity, changes in device context, and access to environment information during an investigation.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance records
  • Mobile endpoint security events where deployed
  • Mobile application access and authentication logs
  • Identity provider sign-in and token/session activity associated with mobile devices
  • Network connection metadata from mobile devices where available

Detection direction

  • Confirm whether the SOC receives mobile-relevant telemetry at all; the ATT&CK object has no official detection guidance, so coverage depends on local controls and logging.
  • Baseline normal mobile device, application, identity, and network behavior so discovery-like information access can be distinguished from routine device management or user activity.
  • Correlate mobile discovery indicators with post-compromise context, such as suspicious authentication, new device risk state, unusual application behavior, or investigation findings.
  • Watch for blind spots caused by unmanaged personal devices, limited mobile logging, privacy constraints, short telemetry retention, and lack of integration between mobile management and SIEM workflows.
  • Tune carefully because legitimate operating system, security, and management functions may also collect device and environment characteristics.

Mitigation priorities

  • Establish or validate mobile device management and security posture visibility for devices that access business resources.
  • Limit business access from mobile devices based on device compliance, identity assurance, and least-privilege principles.
  • Ensure identity and access logs for mobile sessions are retained and available to SOC and IR teams.
  • Integrate mobile telemetry into incident response playbooks so responders can determine what environment information may have been exposed.
  • Use compliance and risk reviews to identify high-value mobile use cases where discovery visibility gaps could affect breach scoping or operational continuity.
Analyst notes and limits

This object is a tactic, not a technique, so it describes adversary intent rather than a specific procedure. The available relationship context is empty, and no official detection text is supplied. The most useful defensive action is to validate whether the organization can observe and investigate mobile post-compromise discovery activity in its own environment.

Platforms are not specified in the supplied object, and no related techniques, mitigations, procedures, or detections were provided. The take is therefore limited to conservative, tactic-level guidance based on the official mobile Discovery description and external reference.

Official MITRE ATT&CK definition

Discovery

The adversary is trying to figure out your environment.

Discovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
258b8ad68932da12...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 258b8ad68932…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0032
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use