Gaining access to a system is only the beginning of a cyberattack. Once attackers establish an initial foothold, they often spend time learning about the environment before taking further action. They identify users, computers, network shares, installed software, and security controls to determine the best path toward their objectives. This activity is known as Discovery, and it is one of the most important tactics in the MITRE ATT&CK framework.

For Security Operations Center (SOC) analysts, detecting discovery activity can provide an early opportunity to identify an attacker before credential theft, privilege escalation, or lateral movement occurs. The NIST Cybersecurity Framework (CSF) also emphasizes continuous monitoring and asset awareness, both of which help organizations recognize suspicious reconnaissance within their own networks.

What Is Discovery?

Discovery refers to the techniques attackers use to gather information about a compromised environment.

After gaining access, an attacker may attempt to identify:

  • Logged-on users
  • Local and domain accounts
  • Running processes
  • Installed software
  • Shared folders
  • Active network connections
  • Domain controllers
  • Security products installed on the endpoint

Most of these actions rely on legitimate operating system commands or administrative tools. Because system administrators perform similar tasks during routine maintenance, analysts must evaluate the context rather than assuming every discovery command is malicious.

Discovery and MITRE ATT&CK

The MITRE ATT&CK framework includes numerous discovery techniques, including T1087 – Account Discovery, T1016 – System Network Configuration Discovery, and T1057 – Process Discovery.

For example, an attacker may enumerate user accounts before attempting password attacks or identify running security software before attempting defense evasion. They may also collect information about network configuration before attempting lateral movement.

Individually, these activities may appear harmless. However, when several discovery techniques occur within a short period, particularly on systems where such activity is uncommon, they may indicate that an attacker is actively exploring the environment.

Recognizing this behavior early can prevent the attack from progressing to more damaging stages.

NIST Recommendations

The NIST Cybersecurity Framework recommends maintaining comprehensive visibility into enterprise systems through logging, endpoint monitoring, and asset management.

Organizations should establish normal baselines for administrative activity so analysts can identify unusual discovery behavior. Monitoring process creation, authentication events, and endpoint telemetry allows analysts to detect when systems are being queried in unexpected ways.

NIST also recommends applying the Principle of Least Privilege. Limiting user permissions reduces the amount of information available to attackers after an initial compromise.

Investigation Tips

When investigating possible discovery activity, SOC analysts should ask questions such as:

  • Is the user expected to perform administrative discovery?
  • Are multiple discovery commands being executed within a short time?
  • Did the activity occur immediately after a successful authentication?
  • Are other MITRE ATT&CK techniques occurring alongside the discovery activity?
  • Has the endpoint communicated with unfamiliar systems following the enumeration?

Answering these questions helps distinguish legitimate administrative work from attacker reconnaissance.

Correlating endpoint logs, authentication records, firewall logs, and EDR telemetry provides valuable context and improves investigation accuracy.

Conclusion

Discovery is a critical stage of many cyberattacks because attackers depend on environmental information to plan their next steps. Although many discovery commands are legitimate administrative tools, unusual patterns of system enumeration can provide early warning that an attacker is actively exploring the network.

By understanding the Discovery tactic within the MITRE ATT&CK framework and applying the monitoring and asset management recommendations of the NIST Cybersecurity Framework, SOC analysts can identify suspicious reconnaissance before attackers achieve credential theft, lateral movement, or data exfiltration. Detecting discovery activity early often provides defenders with the best opportunity to contain an attack before it becomes a major security incident.