The sub-techniques beta is now live! Read the release blog post for more info.


OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. [1]

ID: S0165
Platforms: Windows
Version: 1.0
Created: 16 January 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

OSInfo enumerates local and domain users[1]

Enterprise T1135 Network Share Discovery

OSInfo discovers shares on the network[1]

Enterprise T1069 Permission Groups Discovery

OSInfo specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally[1]

Enterprise T1012 Query Registry

OSInfo queries the registry to look for information about Terminal Services.[1]

Enterprise T1018 Remote System Discovery

OSInfo performs a connection test to discover remote systems in the network[1]

Enterprise T1082 System Information Discovery

OSInfo discovers information about the infected machine.[1]

Enterprise T1016 System Network Configuration Discovery

OSInfo discovers the current domain information.[1]

Enterprise T1049 System Network Connections Discovery

OSInfo enumerates the current network connections similar to net use .[1]

Groups That Use This Software

ID Name References
G0022 APT3 [1]