OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. [1]

ID: S0165
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 18 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

OSInfo enumerates local and domain users[1]

.002 Account Discovery: Domain Account

OSInfo enumerates local and domain users[1]

Enterprise T1135 Network Share Discovery

OSInfo discovers shares on the network[1]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

OSInfo has enumerated the local administrators group.[1]

.002 Permission Groups Discovery: Domain Groups

OSInfo specifically looks for Domain Admins and power users within the domain.[1]

Enterprise T1012 Query Registry

OSInfo queries the registry to look for information about Terminal Services.[1]

Enterprise T1018 Remote System Discovery

OSInfo performs a connection test to discover remote systems in the network[1]

Enterprise T1082 System Information Discovery

OSInfo discovers information about the infected machine.[1]

Enterprise T1016 System Network Configuration Discovery

OSInfo discovers the current domain information.[1]

Enterprise T1049 System Network Connections Discovery

OSInfo enumerates the current network connections similar to net use .[1]

Groups That Use This Software

ID Name References
G0022 APT3