Internal discovery after initial access: enumerate domain users/computers/groups, find network shares, identify additional services/hosts, map network topology, find credentials in files/memory.
Tools: BloodHound (AD mapping), PowerView (AD enumeration), Invoke-ShareFinder (find shares), Nmap (internal scanning), ADExplorer (AD browser). Initial discovery tells you where to go next. Look for: highly privileged accounts, service accounts, admin shares, password files, configuration files with credentials.