mega-menu-burger mega-menu-close

The System Information Discovery Technique Explained - MITRE ATT&CK T1082

Huseyin Can YUCEEL & Picus Labs | June 09, 2022

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

System Information Discovery is an adversary technique to observe the environment and learn about the infected system. After initial access to the target system, cyber threat actors commonly collect information about the environment. Adversaries determine their attack plan according to the information gathered by leveraging this technique.

This blog explains the T1082 System Information Discovery technique of the MITRE ATT&CK®  framework, the fifth technique in the Top 10 MITRE ATT&CK techniques list.

red-report-mockup-small  

The Red Report 2023
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD NOW!

OS Commands Used to Collect System Information

1. Systeminfo (Windows)

Systeminfo is a built-in Windows utility that provides detailed configuration information about a system and its operating system, including:

  • Operating system configuration: OS name/version/manufacturer/configuration/OS build type, registered owner, registered organization, original install date, system locale, input locale, product ID, time zone, logon server

  • Security information: Hotfix(es)

  • Hardware properties: RAM, disk space, network cards, processors, total physical memory, available physical memory, virtual memory

  • Other system information: System boot time, system manufacturer, system model, system type, BIOS version, windows directory, system directory, boot device

C:\> systeminfo
Host Name:                 MS_EDGE_WIN10
OS Name:                   Microsoft Windows 10 Enterprise Evaluation
OS Version:                10.0.17764 N/A Build 17764
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:
Registered Organization:   Microsoft
Product ID:                00456-70000-00008-NN236
Original Install Date:     3/19/2020, 4:59:35 AM
System Boot Time:          1/13/2022, 5:44:12 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 158 Stepping 10 ~2592 Mhz
                           [02]: Intel64 Family 6 Model 158 Stepping 10 ~2592 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 7/22/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us; English; (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 1,753 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 2,461 MB
Virtual Memory: In Use:    2,338 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\MSEDGEWIN10
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB4601555
                           [02]: KB4465065
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    Yes
                                 DHCP Server:     172.16.245.1
                                 IP address(es)
                                 [01]: 172.16.245.3
                                 [02]: fe80::a84f:5ac6:27e1:381e
                                 [03]: fd15:4ba5:5a2b:1008:eca7:b215:2a21:81ed
                                 [04]: fd15:4ba5:5a2b:1008:a84f:5ac6:27e1:381e
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Figure 1: Example of output of systeminfo command

2. Systemsetup (macOS) 

systemsetup is a macOS command that enables users to gather and configure specific per-machine settings typically configured in the System Preferences application [1]. The following options can be used with systemsetup for system information discovery: 

  • getcomputername: Displays computer name.

  • gettimezone: Displays the current time zone.

  • getlocalsubnetname: Display local subnet name.

  • getremotelogin: whether remote login (SSH) is on or off.

Note that the systemsetup command requires at least "admin" privileges to run.

john@test.local ~ % systemsetup -getcomputername
You need administrator access to run this tool... exiting!
john@test.local ~ % sudo su
sh-3.2# systemsetup -getcomputername
Computer Name: test.local
sh-3.2# systemsetup -getremotelogin
Remote Login: Off
sh-3.2# systemsetup -getlocalsubnetname
Local Subnet Name: test.local
sh-3.2# systemsetup -gettimezone
Time Zone:  America/New_York

Figure 2: Example of output of systemsetup command

API Calls Used to Collect System Information for IaaS

Adversaries utilize APIs to retrieve information about instances in the cloud infrastructure. Each Infrastructure-as-a-Service (IaaS) provider, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), has its own API call for getting instance information.

1. Describe-instance-information (AWS)

The describe-instance-information API call in AWS gives information about instances, including computer name, instanceid, IP address, OS type, OS name, and OS version. 

aws ssm describe-instance-information

Figure 3: Example of describe-instance-information API call [8]

{
    "InstanceInformationList": [
        {
            "InstanceId": "i-028ea792daEXAMPLE",
            "PingStatus": "Online",
            "LastPingDateTime": 1582221233.421,
            "AgentVersion": "2.3.842.0",
            "IsLatestVersion": true,
            "PlatformType": "Linux",
            "PlatformName": "SLES",
            "PlatformVersion": "15.1",
            "ResourceType": "EC2Instance",
            "IPAddress": "192.0.2.0",
            "ComputerName": "ip-198.51.100.0.us-east-2.compute.internal",
            "AssociationStatus": "Success",
            "LastAssociationExecutionDate": 1582220806.0,
            "LastSuccessfulAssociationExecutionDate": 1582220806.0,
            "AssociationOverview": {
                "DetailedStatus": "Success",
                "InstanceAssociationStatusAggregatedCount": {
                    "Success": 2
                }
            }
        }
    ]
}

Figure 4: Example of describe-instance-information API call response [8]

2. Virtual Machine - Get (Azure)

In Microsoft Azure, Virtual Machine - Get request retrieves information about the model view or the instance view of a virtual machine.

GET https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2021-11-01

Figure 5: Example of Virtual Machine-Get API call [9]


    "osProfile": {
      "computerName": "myVM",
      "adminUsername": "admin",
      "windowsConfiguration": {
        "provisionVMAgent": true,
        "enableAutomaticUpdates": false
      },
      "secrets": []
    },

Figure 6: Example of Virtual Machine-Get API call response (shortened) [9]

3. instances.get (GCP)

In Google Cloud Platform (GCP), the instances.get method returns information about the specified instance, including hostname, CPU platform, disk size, IP address, and the DNS domain [4].

GET https://compute.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances/{resourceId}

Figure 7: Example of instances.get API call [10]

  "machineType": string,
  "status": enum,
  "statusMessage": string,
  "zone": string,
  "canIpForward": boolean,
  "networkInterfaces": [
    {
      "kind": string,
      "network": string,
      "subnetwork": string,
      "networkIP": string,
      "ipv6Address": string,
      "internalIpv6PrefixLength": integer,
      "name": string,
      "accessConfigs": [

Figure 7: Example of instances.get API call response (shortened) [10]

Adversary Use of the T1082 System Information Discovery Technique

  • Axiom (Group 72) cyber-espionage group uses ZxShell RAT (Sensocode) to compose a large string that contains system information of the victim and sends the string to their C2 server [5]. The collected information includes hostname, organization, owner, OS details, CPU speed, and total physical memory.
  • REvil (Sodinokibi) ransomware group uses the T1082 System Information Discovery technique for various purposes:
  • Volume serial number and CPUID: They are used by REvil to generate a unique identifier (UID) to track victims [6]. This UID is also used in encryption and decryption processes and attached to the payment URL referenced in the ransom note. 
  • Keyboard layout: If the layout is Russian, the REvil  ransomware group whitelist the victim and do not compromise further.
  • Username, hostname, and workgroup/domain name, locale and keyboard layout, OS name, hard disk drive details, CPU architecture from the compromised host. 
  • Mekotio banking trojan gathers the following information about the victim [7]:
  • firewall configuration
  • OS name and version
  • installed anti-fraud protection (e.g., IBM Trusteer) and anti-malware solutions
  • current local time to dynamically generate C&C domain names
  • Crimson RAT loader periodically checks how many days have passed since its installation by utilizing a registry key. If the loader malware detects at least 15 days that have passed, it downloads and executes the final payload [2].
  • Tokyo Olympics wiper malware sleeps for 16 seconds after obtaining the current timestamp via GetTicketCount64 [3]. Then, it calls GetTicketCount64 again to determine how much time the code spent in the Sleep function. If the time is less than 16 seconds, the malware terminates itself because a sandbox environment is likely to accelerate the Sleep function.

References

[1] “systemsetup.” https://ss64.com/osx/systemsetup.html. 

[2] https://www.proofpoint.com/sites/default/files/proofpoint-operation- transparent-tribe-threat-insight-en.pdf.

[3] G. Palazolo, “Netskope Threat Coverage: 2020 Tokyo Olympics Wiper Malware,” 29-Jul-2021. https://www.netskope.com/blog/netskope-threat-coverage-2020-tokyo-oly mpics-wiper-malware.

[4] “Method: instances.get.” https://cloud.google.com/compute/docs/reference/rest/v1/instances/get.

[5] Talos Group, “Threat Spotlight: Group 72, Opening the ZxShell,”

28-Oct-2014. https://blogs.cisco.com/security/talos/opening-zxshell.

[6] “REvil/Sodinokibi Ransomware.” https://www.secureworks.com/research/revil-sodinokibi-ransomware.

[7] “Mekotio: These aren’t the security updates you’re looking for...,”

13-Aug-2020. https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-secu rity-updates-youre-looking-for/.

[8] “describe-instance-information — AWS CLI 1.22.97 Command Reference.” [Online]. Available: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html.

[9] rloutlaw, “Virtual Machines - Get.” [Online]. Available: https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/get.

[10] “Method: instances.get,” Google Cloud. [Online]. Available: https://cloud.google.com/compute/docs/reference/rest/v1/instances/get.