# System Information Discovery

System Information Discovery
Technique
ID T1082
Tactic Discovery
Platform Linux, macOS, Windows
Permissions Required User
Data Sources Process command-line parameters, Process monitoring
CAPEC ID CAPEC-311

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

## Contents

### Windows

Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories.

### Mac

On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.

## Examples

• APT28 has enumerated installed applications on macOS devices with built-in utilities such as ls -al /Applications1.
• APT3 has a tool that can obtain information about the local system.2 3
• A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.4
• Ke3chang performs operating system information discovery using systeminfo commands.5
• Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information.67
• Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.8
• OilRig has run hostname and systeminfo on a victim.910
• Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server .11
• Sowbug obtained OS version and hardware configuration from a victim.12
• Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.13
• Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.14
• admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download15
• 4H RAT sends an OS version identifier in its beacons.16
• During its initial execution, BACKSPACE extracts operating system information from the infected host.19
• BUBBLEWRAP collects system information, including the operating system version and hostname.15
• Backdoor.Oldrea collects information about the OS, computer name, and Internet adapter configuration.20
• BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.21 22
• CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.23
• ChChes collects the victim computer name.24
• ChChes collects the victim hostname, window resolution, and Microsoft Windows version.2526
• A system info module in CozyCar gathers information on the victim host’s configuration.27
• Crimson contains a command to collect the victim PC name and operating system.28
• Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the machine and operating system.29
• DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.30
• DustySky extracts basic information about the operating system.31
• Elise executes systeminfo after initial communication is made to the remote server.32
• Emissary has the capability to execute ver, systeminfo, and gpresult commands.33
• FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.34
• Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.35
• HALFBAKED can obtain information about the OS, processor, and BIOS.36
• JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum.37
• KOMPROGO is capable of retrieving information about the infected system.38
• Kasidet has the ability to obtain a victim's system name and operating system version.39
• The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.40
• The initial beacon packet for Misdat contains the operating system version of the victim.40
• MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.41
• MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.42
• OSInfo discovers information about the infected machine 2.
• POWRUNER may collect information about the system by running hostname and systeminfo on a victim.43
• PinchDuke gathers system configuration information.44
• Pisloader has a command to collect victim system information, including the system name and OS version.45
• PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.46
• A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.47
• RTM can obtain the computer name, OS version, and default language identifier.48
• Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.49
• RedLeaves can obtain the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.26
• Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.50
• The initial beacon packet for S-Type contains the operating system version and file system of the victim.40
• SOUNDBITE is capable of gathering system information.38
• ... further results

## Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting51 tools, like AppLocker,5253 or Software Restriction Policies54 where appropriate.55

## Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.