Discovery_command

Definition

A **discovery command** is any command an attacker runs after gaining access to a system to **learn more about the environment** they’ve landed in.

Think of it like a burglar sneaking into a building and quietly checking the rooms, looking for valuables and escape routes — except in the digital world, the burglar is mapping out the system, network, and connected resources.

Discovery commands help attackers figure out:

* What operating system they’re on
* What user accounts exist
* What files or directories are available
* What processes are running
* What network connections are open
* What security tools are installed

On Windows, examples include:

```
whoami              # Shows current user
ipconfig /all       # Lists network configuration
net user            # Lists user accounts
tasklist            # Lists running processes
```

On Linux/macOS, examples include:

```
uname -a            # Shows OS details
ifconfig            # Lists network configuration
ls /home            # Lists user directories
ps aux              # Lists running processes
```

In cybersecurity investigations, spotting these commands in logs can be a big clue that someone is **exploring without permission**. If you see a sequence of them shortly after a suspicious login or malware execution, it’s often a sign of **post-compromise reconnaissance** — a phase where attackers gather intel to plan their next moves, such as privilege escalation or lateral movement.

Discovery_command

Definition

Explore More Terms