System Information Discovery

From enterprise
Jump to: navigation, search
System Information Discovery
Technique
ID T1082
Tactic Discovery
Platform Linux, macOS, Windows
Permissions Required User
Data Sources Process command-line parameters, Process monitoring
CAPEC ID CAPEC-311

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Windows

Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories.

Mac

On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.

Examples

  • APT28 has enumerated installed applications on macOS devices with built-in utilities such as ls -al /Applications1.
  • APT3 has a tool that can obtain information about the local system.2 3
  • A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.4
  • Ke3chang performs operating system information discovery using systeminfo commands.5
  • Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information.678
  • Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.9
  • OilRig has run hostname and systeminfo on a victim.1011
  • Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server .12
  • Sowbug obtained OS version and hardware configuration from a victim.13
  • Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.14
  • Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.15
  • admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download16
  • 4H RAT sends an OS version identifier in its beacons.17
  • ADVSTORESHELL can run Systeminfo to gather information about the victim.1819
  • During its initial execution, BACKSPACE extracts operating system information from the infected host.20
  • BUBBLEWRAP collects system information, including the operating system version and hostname.16
  • Backdoor.Oldrea collects information about the OS, computer name, and Internet adapter configuration.21
  • BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.22 23
  • CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.24
  • ChChes collects the victim hostname, window resolution, and Microsoft Windows version.2526
  • ChChes collects the victim computer name.27
  • A system info module in CozyCar gathers information on the victim host’s configuration.28
  • Crimson contains a command to collect the victim PC name and operating system.29
  • Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the machine and operating system.30
  • DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.31
  • DustySky extracts basic information about the operating system.32
  • Elise executes systeminfo after initial communication is made to the remote server.33
  • Emissary has the capability to execute ver, systeminfo, and gpresult commands.34
  • FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.35
  • Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.36
  • HALFBAKED can obtain information about the OS, processor, and BIOS.37
  • can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.38
  • Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.39
  • JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum.40 Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.41
  • JPIN can obtain system information such as OS version and disk space.42
  • can collect system information.38
  • KOMPROGO is capable of retrieving information about the infected system.43
  • Kasidet has the ability to obtain a victim's system name and operating system version.44
  • creates a backdoor through which remote attackers can retrieve system information.45
  • MURKYTOP has the capability to retrieve information about the OS.46
  • The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.47
  • The initial beacon packet for Misdat contains the operating system version of the victim.47
  • MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.48
  • MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.49
  • can discover and collect victim system information.50
  • Naid collects a unique identifier (UID) from a compromised host.51
  • NanHaiShu can gather the victim computer name and serial number.52
  • OSInfo discovers information about the infected machine 2.
  • Orz can gather the victim OS version and whether it is 64 or 32 bit.52
  • POORAIM can identify system information, including battery status.38
  • ... further results

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting53 tools, like AppLocker,5455 or Software Restriction Policies56 where appropriate.57

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. ^  Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  2. a b  Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  3. ^  Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  4. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  5. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  6. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  7. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  8. ^  Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  9. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  10. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  11. ^  Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  12. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  13. ^  Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  14. ^  Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  15. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  16. a b  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  17. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  18. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  19. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  20. ^  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  21. ^  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  22. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  23. ^  Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  24. ^  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  25. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  26. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  27. ^  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  28. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  29. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  1. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  2. ^  ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  3. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  4. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  5. ^  Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  6. ^  US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  7. ^  Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  8. ^  Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  9. a b c  FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  10. ^  Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  11. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  12. ^ Unit42 Sofacy Feb 2018 
  13. ^  Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  14. ^  Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  15. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  16. ^  Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  17. ^  FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  18. a b  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  19. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  20. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  21. ^  McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  22. ^  Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  23. a b  Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  24. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  25. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  26. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  27. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  28. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.