# T1082 System Information Discovery

-----------------------------------------------------------------------

## Technique Description

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information.(Citation: US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to gather  detailed system information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

  * IaaS

  * Linux

  * macOS

  * Network

### Data Sources:

  * **Process:** OS API Execution

  * **Command:** Command Execution

  * **Instance:** Instance Metadata

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has used native OS commands to understand privilege levels and system details.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used a file stealer that can examine system drives, including those other than the C drive.(Citation: TrendMicro Confucius APT Aug 2021)| 
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for system version and architecture information.(Citation: ATT TeamTNT Chimaera September 2020)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has gathered system information using <code>systeminfo</code>.(Citation: Avira Mustang Panda January 2020)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to capture the processor architecture of a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) collected the system volume serial number, GUID, and computer name.(Citation: PTSecurity Higaisa 2020)(Citation: Malwarebytes Higaisa 2020)| 
| Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a script to detect which Linux distribution and version is currently installed on the system.(Citation: ESET ForSSHe December 2018)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used <code>fsutil</code> to check available free space before executing actions that might create large files on disk.(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information.(Citation: NCC Group Chimera January 2021)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used malware to identify the computer name of a compromised host.(Citation: BlackBerry Bahamut)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has collected hardware details for the victim's system, including CPU and memory information.(Citation: RedCanary Mockingbird May 2020)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has used uname -m to collect the name and information about the infected system's kernel.(Citation: Anomali Rocke March 2019)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used “systeminfo” and similar commands to acquire detailed configuration information of a victim machine.(Citation: DFIR Ryuk's Return October 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, looking for the system's machine name.(Citation: Talos Frankenstein June 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has used a reconnaissance module to gather information about the operating system and hardware on the infected host.(Citation: Symantec Inception Framework March 2018)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has detected a target system’s OS version and system volume information.(Citation: TrendMicro TropicTrooper 2015)(Citation: TrendMicro Tropic Trooper May 2020)| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) gathers computer name and information using the <code>systeminfo</code> command.(Citation: McAfee Honeybee)| 
| APT19 | [APT19](https://attack.mitre.org/groups/G0073) collected system architecture information. [APT19](https://attack.mitre.org/groups/G0073) used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can collect the victim’s OS version and machine name.(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) collects the computer name, the BIOS model, and execution path.(Citation: Talos Group123)| 
| Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) obtained OS version and hardware configuration from a victim.(Citation: Symantec Sowbug Nov 2017)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.(Citation: Unit 42 Magic Hound Feb 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. [APT32](https://attack.mitre.org/groups/G0050) executed shellcode to identify the name of the infected host.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)(Citation: FireEye APT32 April 2020)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>hostname</code> and <code>systeminfo</code> on a victim.(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)	| 
| Gamaredon Group | A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: CERT-EE Gamaredon January 2021)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. [Patchwork](https://attack.mitre.org/groups/G0040) also enumerated all available drives on the victim's machine.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) used a backdoor to enumerate information about the infected system's operating system.(Citation: ESET Telebots July 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)	| 
| Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)| 
| APT18 | [APT18](https://attack.mitre.org/groups/G0026) can collect system information from the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can obtain information about the local system.(Citation: Symantec Buckeye)(Citation: evolution of pirpi)| 
| admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following commands after exploiting a machine with [LOWBALL](https://attack.mitre.org/software/S0042) malware to obtain information about the OS: <code>ver >> %temp%\download</code> <code>systeminfo >> %temp%\download</code>(Citation: FireEye admin@338)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used <code>fsutil</code> to check available free space before executing actions that might create large files on disk.(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover operating system configuration details using the <code>systeminfo</code> and <code>set</code> commands.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs operating system information discovery using <code>systeminfo</code> and has used implants to identify the system language and computer name.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1082)

  * [Amazon Describe Instance](https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html), Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.

  * [Google Instances Resource](https://cloud.google.com/compute/docs/reference/rest/v1/instances), Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.

  * [Microsoft Virutal Machine Api](https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get), Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.

  * [20 Macos Common Tools And Techniques](https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/), Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.

  * [Osx.Fairytale](https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/), Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.

  * [Us-Cert-Ta18-106A](https://www.us-cert.gov/ncas/alerts/TA18-106A), US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

  * [Capec](https://capec.mitre.org/data/definitions/312.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use either native command-line tools or custom tools to query a filesystem for system information.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla 
- surveys a system upon check-in to discover operating system configuration details using the systeminfo, gpresult, and set commands.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1082 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md)
  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)
  * [ESET Turla ComRAT (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
- This technique is not all-inclusive. Operators should look for Remote System Discovery(T1018), File and Directory Discovery(T1083), System Service Discovery(T1007), System Network Configuration Discovery(T1016), and System Network Connections Discovery(T1049)
- The use of these commands are not inherently bad, and these events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.
- Monitor processes and command-line arguments for actions that could be taken to gather system information related to services.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system and network information

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Add more commands as needed

  * **Query:** ```Event_id : (1 or 5 or 4688 or 4689) AND process.name : (reg.exe or hostname.exe or systeminfo.exe or wmic.exe or auditpol.exe or net.exe or net1.exe or msinfo32.exe or findstr.exe)```

#### Analytic 2

  * **Information:** System discovery is likely to be used from the command prompt or powershell. (wmic will have cmd/ps as parent).

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.parent.name : cmd.exe or powershell.exe```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

