System Information Discovery
|System Information Discovery|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux|
|Data Sources||Process command-line parameters, Process monitoring|
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Example commands and utilities that obtain this information include
ver, Systeminfo, and
dir within cmd for identifying information based on present files and directories.
- Ke3chang performs operating system information discovery using systeminfo commands.1
- Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.2
- admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ** ver >> %temp%\download ** systeminfo >> %temp%\download3
- Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information.45
- Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.6
- Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server .7
- A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.8
- Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the machine and operating system.9
- During its initial execution, BACKSPACE extracts operating system information from the infected host.10
- BUBBLEWRAP collects system information, including the operating system version and hostname.3
- JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum.11
- ADVSTORESHELL can run Systeminfo to gather information about the victim.1213
- A system info module in CozyCar gathers information on the victim host’s configuration.14
- PinchDuke gathers system configuration information.15
- SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.16
- WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.16
- Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.16
- DustySky extracts basic information about the operating system.17
- 4H RAT sends an OS version identifier in its beacons.18
- MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.19
- Elise executes systeminfo after initial communication is made to the remote server.20
- Emissary has the capability to execute ver, systeminfo, and gpresult commands.21
- The initial beacon packet for Misdat contains the operating system version of the victim.22
- The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.22
- The initial beacon packet for S-Type contains the operating system version and file system of the victim.22
- ZLib has the ability to enumerate system information.22
- Kasidet has the ability to obtain a victim's system name and operating system version.23
- BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.24 25
- Backdoor.Oldrea collects information about the OS, computer name, and Internet adapter configuration.26
- Systeminfo can be used to gather information about the operating system.27
- T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.28
- cmd can be used to find information about the operating system.29
- A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.30
- Crimson contains a command to collect the victim PC name and operating system.31
- Pisloader has a command to collect victim system information, including the system name and OS version.32
- Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.33
- Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.34
- CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.35
- PowerDuke has commands to get information about the victim's name, build, version, logical drives, drive type, free space, serial number, and memory usage.36
- Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.37
- StreamEx has the ability to enumerate system information.38
- ChChes collects the victim hostname, window resolution, and Microsoft Windows version.39
- RTM can obtain the computer name, OS version, and default language identifier.40
- MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.41
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting42 tools, like AppLocker,4344 or Software Restriction Policies45 where appropriate.46
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
- Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.