Security Control Validation.png?width=329&name=BAS-Mock-Up-1-small%20(1).png)
.png?width=246&name=Picus-thumbnail_Ipad_Checklist%20(1).png)
What Is Continuous Threat Exposure Management (CTEM)?
%20(1).png?width=260&height=333&name=image%20(17)%20(1).png)
Keep up to date with latest blog posts
System Information Discovery is an adversary technique to observe the environment and learn about the infected system. After initial access to the target system, cyber threat actors commonly collect information about the environment. Adversaries determine their attack plan according to the information gathered by leveraging this technique.
This blog explains the T1082 System Information Discovery technique of the MITRE ATT&CK® framework, the fifth technique in the Top 10 MITRE ATT&CK techniques list.
 |
The Red Report 2023
|
OS Commands Used to Collect System Information
1. Systeminfo (Windows)
Systeminfo is a built-in Windows utility that provides detailed configuration information about a system and its operating system, including:
-
Operating system configuration: OS name/version/manufacturer/configuration/OS build type, registered owner, registered organization, original install date, system locale, input locale, product ID, time zone, logon server
-
Security information: Hotfix(es)
-
Hardware properties: RAM, disk space, network cards, processors, total physical memory, available physical memory, virtual memory
-
Other system information: System boot time, system manufacturer, system model, system type, BIOS version, windows directory, system directory, boot device
|
C:\> systeminfo |
Figure 1: Example of output of systeminfo command
2. Systemsetup (macOS)
systemsetup is a macOS command that enables users to gather and configure specific per-machine settings typically configured in the System Preferences application [1]. The following options can be used with systemsetup for system information discovery:
-
getcomputername: Displays computer name.
-
gettimezone: Displays the current time zone.
-
getlocalsubnetname: Display local subnet name.
-
getremotelogin: whether remote login (SSH) is on or off.
Note that the systemsetup command requires at least "admin" privileges to run.
|
john@test.local ~ % systemsetup -getcomputername |
Figure 2: Example of output of systemsetup command
API Calls Used to Collect System Information for IaaS
Adversaries utilize APIs to retrieve information about instances in the cloud infrastructure. Each Infrastructure-as-a-Service (IaaS) provider, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), has its own API call for getting instance information.
1. Describe-instance-information (AWS)
The describe-instance-information API call in AWS gives information about instances, including computer name, instanceid, IP address, OS type, OS name, and OS version.
|
aws ssm describe-instance-information |
Figure 3: Example of describe-instance-information API call [8]
|
{ |
Figure 4: Example of describe-instance-information API call response [8]
2. Virtual Machine - Get (Azure)
In Microsoft Azure, Virtual Machine - Get request retrieves information about the model view or the instance view of a virtual machine.
|
GET https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2021-11-01 |
Figure 5: Example of Virtual Machine-Get API call [9]
|
… … … … |
Figure 6: Example of Virtual Machine-Get API call response (shortened) [9]
3. instances.get (GCP)
In Google Cloud Platform (GCP), the instances.get method returns information about the specified instance, including hostname, CPU platform, disk size, IP address, and the DNS domain [4].
|
GET https://compute.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances/{resourceId} |
Figure 7: Example of instances.get API call [10]
|
… … "machineType": string, … |
Figure 7: Example of instances.get API call response (shortened) [10]
Adversary Use of the T1082 System Information Discovery Technique
- Axiom (Group 72) cyber-espionage group uses ZxShell RAT (Sensocode) to compose a large string that contains system information of the victim and sends the string to their C2 server [5]. The collected information includes hostname, organization, owner, OS details, CPU speed, and total physical memory.
- REvil (Sodinokibi) ransomware group uses the T1082 System Information Discovery technique for various purposes:
- Volume serial number and CPUID: They are used by REvil to generate a unique identifier (UID) to track victims [6]. This UID is also used in encryption and decryption processes and attached to the payment URL referenced in the ransom note.
- Keyboard layout: If the layout is Russian, the REvil ransomware group whitelist the victim and do not compromise further.
- Username, hostname, and workgroup/domain name, locale and keyboard layout, OS name, hard disk drive details, CPU architecture from the compromised host.
- Mekotio banking trojan gathers the following information about the victim [7]:
- firewall configuration
- OS name and version
- installed anti-fraud protection (e.g., IBM Trusteer) and anti-malware solutions
- current local time to dynamically generate C&C domain names
- Crimson RAT loader periodically checks how many days have passed since its installation by utilizing a registry key. If the loader malware detects at least 15 days that have passed, it downloads and executes the final payload [2].
- Tokyo Olympics wiper malware sleeps for 16 seconds after obtaining the current timestamp via GetTicketCount64 [3]. Then, it calls GetTicketCount64 again to determine how much time the code spent in the Sleep function. If the time is less than 16 seconds, the malware terminates itself because a sandbox environment is likely to accelerate the Sleep function.
References
[1] “systemsetup.” https://ss64.com/osx/systemsetup.html.
[2] https://www.proofpoint.com/sites/default/files/proofpoint-operation- transparent-tribe-threat-insight-en.pdf.
[3] G. Palazolo, “Netskope Threat Coverage: 2020 Tokyo Olympics Wiper Malware,” 29-Jul-2021. https://www.netskope.com/blog/netskope-threat-coverage-2020-tokyo-oly mpics-wiper-malware.
[4] “Method: instances.get.” https://cloud.google.com/compute/docs/reference/rest/v1/instances/get.
[5] Talos Group, “Threat Spotlight: Group 72, Opening the ZxShell,”
28-Oct-2014. https://blogs.cisco.com/security/talos/opening-zxshell.
[6] “REvil/Sodinokibi Ransomware.” https://www.secureworks.com/research/revil-sodinokibi-ransomware.
[7] “Mekotio: These aren’t the security updates you’re looking for...,”
13-Aug-2020. https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-secu rity-updates-youre-looking-for/.
[8] “describe-instance-information — AWS CLI 1.22.97 Command Reference.” [Online]. Available: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html.
[9] rloutlaw, “Virtual Machines - Get.” [Online]. Available: https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/get.
[10] “Method: instances.get,” Google Cloud. [Online]. Available: https://cloud.google.com/compute/docs/reference/rest/v1/instances/get.
Share this:
