Discovery (MITRE ATT&CK TA0007) is the set of actions an adversary takes after gaining a foothold to learn the target environment and find the best paths to achieve objectives (privilege escalation, lateral movement, credential access, data access/exfiltration). Discovery includes enumerating users, groups, computers, services, network configuration, shares, listening ports, installed software, and security products. It’s often noisy but one of the earliest and most actionable signs of an intrusion treat bursts of enumeration from a host as potential active intrusion and escalate investigation.
systeminfo — shows OS version, patch level, system boot time, manufacturer, domain membership. Used to fingerprint host and choose exploits.wmic qfe get Caption,Description — lists installed hotfixes/KBs. Used to find missing patches or exploit targets.hostname — returns machine name; quick mapping.whoami — shows current account context; quick confirm of identity.whoami /priv — lists privileges in the token (e.g., SeDebugPrivilege); helps determine possible actions.whoami /groups — shows group memberships; identify privilege sets.net user — list local accounts on the host; find local admin accounts.net user <username> /domain — shows domain user attributes (last logon, groups).net localgroup — lists local groups.net localgroup administrators — lists local Administrators group members (prime for lateral movement).net group — on a DC enumerates domain groups.net accounts — shows local password policy (lockout, max password age).tasklist /v — verbose process list with session/user details; useful for parent/child analysis.sc query — query service states; find services running as SYSTEM or misconfigured services.