MITRE ATT&CK T1082 System Information Discovery

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that System Information Discovery was the ninth most prevalent ATT&CK technique used by adversaries in their malware.

When adversaries gain initial access to a system, they observe the environment and gain knowledge about the system. Adversaries then use the collected system information to determine how to act in follow-on behaviors. Our research has found that System Information Discovery is the ninth most prevalent ATT&CK technique used by adversaries in their malware.

Following initial access to a system, attackers need to gather information about the system to decide how to continue the attack. They collect operating system, hardware, host, and user information to shape follow-on actions.

In this article, we review:

  • the most commonly collected information
  • the most used methods to discover system information
  • use cases of the System Information Discovery technique by threat actors and malware
  • red and blue team exercises for this technique

Which type of  system information is collected

Adversaries commonly collect the following system information:

  • Host/user information
    • Hostname
    • Username
    • Domain name
    • Registered Owner
    • Registered Organization
    • Uptime
  • Operation system information
    • OS name (e.g., Microsoft Windows 10 Pro)
    • OS version (e.g., 10.0.19041 Build 19041)
    • System locale (e.g.,  en-us; English; United States)
    • Keyboard layout (e.g., 0409 is an English - US keyboard)
    • Hotfix(es)
  • Hardware information
    • CPU architecture (e.g., x86, x64)
    • Processor(s) (e.g., 4 x AMD64 Family 23 ~2000 Mhz)
    • Total physical memory
    • Network Card(s) (e.g., Intel 82574L)
      •  IP address(es)
    • CPUID / ProcessorID (e.g., 078BFBFF00800F12)
    • Volume serial number (e.g., 6000c2926471123a7065babe5ad6f70a)
    • Disk size
    • Screen resolution

How adversaries collect system information

  1. OS Commands

    Adversaries use built-in OS utilities to discover system information:

    • systeminfo: systeminfo [1] is a Microsoft Windows utility that displays detailed configuration information about a computer and its operating system, including:
    • Operating system configuration: OS name, OS version, OS manufacturer, OS configuration, OS build type, registered owner, registered organization, original install date, system locale, input locale, product id, time zone, logon server
    • Security information: hotfixes
    • Hardware properties: RAM, disk space, network cards, processors, total physical memory, available physical memory, virtual memory
      • Other system information: system boot time, system manufacturer, system model, system type, BIOS version, windows directory, system directory, boot device

    • systemsetup: systemsetup is a macOS command that enables you to gather and configure certain per-machine settings typically configured in the System Preferences application [2].  At least "admin" privileges are required to run the systemsetup command. The following flags can be used for system information discovery with systemsetup command:
      • -getcomputername: Displays computer name.
      • -getremotelogin: whether remote login (SSH) is on or off.
      • -getlocalsubnetname: Display local subnet name.
      •  -gettimezone: Displays the current time zone.

  2. IaaS API Calls

    Adversaries use APIs to get information about instances in cloud Infrastructure as a Service (IaaS) providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

    • describe-instance-information in AWS: This API action gives information about instances, including computer name, instanceid, IP address, OS type, OS name, and OS version [2], [3].

    • Virtual Machines - Get in Microsoft Azure:  This operation retrieves information about the model view or the instance view of a virtual machine, such as OS type, computer name, and admin username [4].

    instances.get in Google Cloud: This method returns information about the specified instance, including hostname, CPU platform, disk size, IP address, and the DNS domain [5].

Use Cases

Use Case 1:  ZxShell

If ZxShell (aka Sensocode) RAT (Remote Administration Tool), which is used by Group 72 to conduct cyber-espionage operations, composes a large string that contains the following system information of the victim host and  sends this information to its CnC server[6]:

  • hostname, organization, and owner
  • OS details
  • CPU speed
  • total physical memory

Use Case 2:  Sodinokibi

Sodinokibi (aka REvil) ransomware generates a unique identifier (UID) for the host using the volume serial number and CPUID [7]. It uses this UID for encryption/decryption processes as part of the payment URL referenced in the dropped ransom note. Moreover, Sodinokibi profiles the compromised host by collecting the following information:

  • username, hostname, and workgroup/domain name
  • locale and keyboard layout
  • OS name
  • Hard disk drive details
  • CPU architecture

Interestingly, it uses a parameter named “bro” that indicates a Russian keyboard layout. If this parameter returns true, the compromised host is whitelisted, and it is immune to Sodinokibi. It calls User32.dll's GetKeyboardLayoutList function to get the configured keyboard layout.

Use Case 3: Mekotio

Mekotio banking Trojan collects the following information about the compromised host [8]:

  • firewall configuration
  • user privileges
  • OS name and version
  • installed anti-fraud protection products (e.g., IBM Trusteer)
  • installed anti-malware solutions
  • current local time (to use for dynamically generating C&C domain name) 

Use Case 4: Sandbox Evasion

Adversaries discover system information to detect and avoid virtualization and analysis environments, such as sandboxes  that are used to analyze malicious files and URLs to obtain indicators of compromises (IoCs). Then these IOCs are used to improve defenses and block/detect malicious behavior of adversaries.

Accordingly, the MITRE ATT&CK technique T1497 Virtualization/Sandbox Evasion is one of the primary use cases of the MITRE ATT&CK T1082 System Information Discovery technique. Specifically, the T1497.001 System Checks sub-technique is directly related to the System Information Discovery technique.

Sandbox-evading malware commonly collects the  following system information to detect a virtualization/sandbox environment:

  • Total physical memory size: A total RAM size lower than 4GB may indicate a sandbox environment.
  • Storage size: A storage lower than 64 GB may indicate a sandbox.
  • Storage name: If a hard disc drive has a name used by virtual machines (e.g., QEMU, VBOX, VIRTUAL HD, VMWare), it strongly indicates a virtual machine.
  • HDD vendor ID: If the vendor id of the hard disc drive is VBOX or vmware, it is in a virtual machine.
  • Audio device: If there is no audio device in the machine, it may be a sandbox.
  • Screen resolution: Low resolutions may indicate a sandbox environment.
  • Username: Common sandbox usernames (e.g., sandbox, virus, malware, vmware, test) may indicate a sandbox.
  • Hostname: Common sandbox names (e.g., cuckoo, sandbox, sample, malware) may indicate a sandbox environment.
  • Uptime: Uptimes lower than 10 minutes may indicate a sandbox.
  • Network traffic: High uptimes (e.g., days), but low network traffic (e.g., only a few megabytes) may indicate a sandbox.
  • MAC addresses: Specific MAC address prefixes (e.g., 08:00:27 for VirtualBox, 00:05:69 for VMWare , 00:16:E3 for Xen and 00:1C:42 for Parallels) strongly indicate a virtual machine.
  • Network adapter name: Specific names for network adapters (e.g,. Vmware) strongly indicates a virtual machine.
  • List of files: A clean desktop or documents folder or an empty list of recent files may indicate a sandbox environment.
  • List of directories: The existence of “oracle\virtualbox guest additions\” or “VMWare” directory strongly indicates a virtual machine environment.
  • Browser usage: A short/empty browser history or cookie list may indicate a sandbox.
  • The number of running processes: In a regular Windows environment, at least 50 processes run simultaneously.  Lower numbers may indicate a sandbox.
  • Process names: Specific processes (e.g., vmware.exe, xenservice.exe, vmsrvc.exe, vboxservice.exe, joeboxserver.exe, prl_cc.exe) strongly indicate a virtual machine environment.
  • CPU temperature: Virtual machines don’t return a result after CPU temperature check calls, such as MSAcpi_ThermalZoneTemperature.
  • Number of CPU cores: A single core may indicate a virtual machine.
  • CPUID: The string returned by the CPUID instruction includes information that can be used to identify the virtual machine vendor, such as Microsoft Hv for Hyper-V, KVMKVMKVM for KVM, prl hyperv for Parallels, VBoxVBoxVBox for VirtualBox, VMwareVMware for VMWare, and XenVMMXenVMM for Xen.

Red and Blue Team Exercises

Exercise 1: Obtain patches installed on the host

Red Teaming - How to simulate?
The following command gets a list of installed Windows and software updates applied to the local computer using WMIC (Windows Management Instrumentation Command)  [9] 

wmic qfe get description,hotfixid,installedon

C:\Windows\system32>wmic qfe get description,hotfixid,installedon

Description      HotFixID   InstalledOn

Update           KB4576478  9/9/2020

Security Update  KB4537759  5/11/2020

Security Update  KB4557968  5/11/2020

Security Update  KB4560366  7/13/2020

Security Update  KB4561600  7/13/2020

Security Update  KB4566785  7/23/2020

Security Update  KB4570334  8/12/2020

Security Update  KB4577266  9/9/2020

Update           KB4571756  9/9/2020

Explanation of the command:

  • wmic: WMIC  is a command-line utility to access Windows Management Instrumentation (WMI). WMI is the infrastructure for management data and operations on Windows-based operating systems [10]. Legitimate users write WMI scripts or applications to automate administrative tasks on remote computers.
  • qfe: QFE stands for Quick Fix Engineering. It uses Win32_QuickFixEngineering WMI class to get system-wide updates applied to the current operating system[11].
  • description: This parameter gets the update type (Security Update / Update).
  • hotfixid: This parameter obtains the Microsoft KB (knowledge base) article id, such as KB4537759. You can read the kb article on http://support.microsoft.com/kb/<HotfixID>, for example, http://support.microsoft.com/kb/4537759 for KB4537759.
  • installedon: This parameter gathers the install date of the update.

Blue Teaming - How to detect?

The following Sigma rule can be used to detect an attempt to gather information about installed patches on the local system via the WMIC tool.

title: System Information Discovery by Gathering Installed Patches via WMIC Tool
status: experimental
description: Detects the attempt to gather information about installed patches on the local system via WMIC tool. Obtained information is mostly utilized by attackers to choose which exploit to use for privilege escalation.
author: Picus Security
references:
  - https://attack.mitre.org/techniques/T1082/
  - https://attack.mitre.org/tactics/TA0007/
  - https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmic
logsource:
    product: windows
    service: security
    definition1: 'Requirements: Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation'
    definition2: 'Requirements: Group Policy : Computer Configuration\ Administrative Templates\ System\ Audit Process Creation\ Include Command Line'
detection:
    selection:
        EventID: 4688
        NewProcessName: '*\WMIC.exe'
        ProcessCommandLine: '*wmic* *qfe get*'
    condition: selection
falsepositives:
    - Legitimate administrative activities, vulnerability scanner checks
level: low
tags:
    - attack.discovery
    - attack.t1082
    - attack.ta0007

 

References

[1] eross-msft, “systeminfo.” [Online]. Available: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo. [Accessed: 29-Sep-2020]

[2] “systemsetup.” [Online]. Available: https://ss64.com/osx/systemsetup.html. [Accessed: 30-Sep-2020]

[3] “DescribeInstanceInformation.” [Online]. Available: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeInstanceInformation.html. [Accessed: 30-Sep-2020]

[4] rloutlaw, “Virtual Machines - Get.” [Online]. Available: https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get. [Accessed: 30-Sep-2020]

[5] “Method: instances.get.” [Online]. Available: https://cloud.google.com/compute/docs/reference/rest/v1/instances/get. [Accessed: 30-Sep-2020]

[6] Talos Group, “Threat Spotlight: Group 72, Opening the ZxShell,” 28-Oct-2014. [Online]. Available: https://blogs.cisco.com/security/talos/opening-zxshell. [Accessed: 30-Sep-2020]

[7] “REvil/Sodinokibi Ransomware.” [Online]. Available: https://www.secureworks.com/research/revil-sodinokibi-ransomware. [Accessed: 30-Sep-2020]

[8] “Mekotio: These aren’t the security updates you’re looking for…,” 13-Aug-2020. [Online]. Available: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/. [Accessed: 30-Sep-2020]

[9] “[No title].” [Online]. Available: https://support.microsoft.com/en-us/help/290216/a-description-of-the-windows-management-instrumentation-wmi-command-li. [Accessed: 28-Jun-2020]

[10] stevewhims, “Windows Management Instrumentation - Win32 apps.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: 28-Jun-2020]

[11] stevewhims, “Win32_QuickFixEngineering class.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-quickfixengineering. [Accessed: 30-Sep-2020]


10 Critical MITRE ATT&CK Techniques