.svg)
.svg)
System information discovery involves collecting information about computer systems or networks, such as hardware, software, and network configurations. Adversaries commonly use built-in tools to gather data on the network, operating system version, kernel ID, and potential vulnerabilities for exploitation. In the Red Report 2024, T1082 System Information Discovery rose from fifth to fourth place, indicating its growing importance in the successful use of native OS tools for discreet information gathering.
Download the Red Report - Top Ten MITRE ATT&CK Techniques
Adversary Use of System Information Discovery
Adversaries can use this technique to gather information about a compromised system. For instance, an adversary who wants to exploit a Linux machine may perform system information discovery to learn the corresponding kernel version and its possible vulnerabilities to develop an exploit. Note that this is not only limited to exploit development but also to finding and leveraging the appropriate tools specifically designed for the corresponding operating system.
The tools and techniques leveraged for system information discovery will be examined under two categories: OS Commands Used to Collect System Information and API Calls Used to Collect System Information for IaaS.
OS Commands Used to Collect System Information
Adversaries can leverage various built-in operating system (OS) commands to perform a stealthy system information discovery. This section will examine the systeminfo (Windows) and systemsetup (macOS) tools in detail.
1. Systeminfo (Windows)
systeminfo is a built-in command-line tool that is included with Windows operating systems. This tool can display detailed information about a system's hardware and software components, including the operating system version, the installed hotfixes and service packs, and the system architecture. The table below shows what information a user can get using the systeminfo tool on Windows machines.
|
Operating System Configuration |
OS name/version/manufacturer/configuration/, OS build type, registered owner, registered organization, original install date, system locale, input locale, product ID, time zone, logon server |
|
Security Information |
Hotfix(es) |
|
Hardware Properties |
RAM, disk space, network cards, processors, total physical memory, available physical memory, virtual memory |
|
Other System Information |
system boot time, system manufacturer, system model, system type, BIOS version, windows directory, system directory, boot device |
Below, you will find an example output of the systeminfo tool.
|
Host Name: DESKTOP-ABCDEFGH Total Physical Memory: 8,192 MB |
Adversaries commonly use the systeminfo command in the wild.
For example, in June 2023, it was revealed that the Chinese APT group, Volt Typhoon, executed the following commands on the target system during their enumeration phase as part of the discovery process [1].
|
netstat -ano |
In one malware sample analyzed in September 2023, it was seen that adversaries ran the systeminfo command to perform system enumeration [2].
|
* 88ceea988a4b66edfa194eae2aaf50951c6fbbc7d5aa8d19351d36531667fd89 |
In a different instance reported in July 2023, malicious actors planted a batch file onto the targeted system. This batch file initiated host reconnaissance commands and stored the generated outcomes in a file titled "c3lzLmluZm8" [3]. When decoded from Base64, it was revealed that the file name "c3lzLmluZm8" translates to "sys.info." Subsequently, the following commands were executed to collect specific system metadata:
|
tasklist /v |
2. system_profiler (macOS)
system_profiler is a command-line utility on macOS that provides detailed information about the hardware and software configuration of a mac device. An adversary who has gained access to a mac host could use this tool to gather information about the system, such as the version of the operating system, the model and make of the computer, the type and amount of memory installed, and so on.
Here is an example command demonstrating how adversaries can leverage the system_profiler utility [4].
|
system_profiler SPHardwareDataType SPSoftwareDataType |
By combining these two data types in a single command, an adversary can efficiently collect a comprehensive profile of both the hardware and software aspects of the system, which can be critical for planning further malicious activities like targeted malware attacks, system exploitation, or data exfiltration.
3. systemsetup (macOS)
On macOS machines, the systemsetup configuration tool is versatile for gathering comprehensive system information. It allows you to view and modify various system settings, such as the hostname, time zone, and network configurations. Like systeminfo, the systemsetup tool can also provide detailed insights into a system's hardware and software components.
While it requires root/administrator-level privileges, the available options for the systemsetup tool on macOS vary depending on the version of the operating system you are using. However, some common options that can be used for system information discovery include:
‘-gettimezone’: It displays the current time zone of the system.
|
user@macos:~$ sudo systemsetup -gettimezone |
Adversaries may leverage this option to determine if the system is configured to use the correct time zone. If not, the target system may be more susceptible to certain types of attacks, such as time-based attacks that rely on the system's clock being out of sync with other systems.
For instance, in a hypothetical scenario, if an attacker discovers a system clock discrepancy, they could schedule a cron job to exploit it, potentially aligning the execution of a malicious script with a specific event or trigger. The cron job might look something like this:
|
0 2 * * * /path/to/malicious/script.sh |
This line in a crontab file would theoretically schedule the script.sh to run at 2:00 AM system time every day. If the system's clock is incorrectly set, this could trigger the script at an unexpected time, possibly aligning with a time-based security loophole or during low monitoring periods.
‘-getcomputername’: It displays the current hostname of the system.
|
user@macos:~$ sudo systemsetup -getcomputername |
This option can be used to learn the hostname to determine if the system is configured to use a fully qualified domain name (FQDN) or a simple hostname. It can also be used to identify potential vulnerabilities in the system's name resolution configuration, such as misconfigured DNS records or a lack of domain name validation.
‘-getremotelogin’: It displays the current status of remote login, which allows users to access the system remotely over the network.
|
user@macos:~$ sudo systemsetup -getremotelogin |
This option is often leveraged to determine if remote login is enabled on the system, and if this is the case, they may want to learn which remote login protocols are supported. Later, adversaries can use this information to gain unauthorized access to the system by exploiting vulnerabilities in the remote login protocols.
4. networksetup (macOS)
Systemsetup is not the only built-in tool that adversaries can leverage.
The networksetup tool in macOS can be used by adversaries for reconnaissance purposes. By using the listallnetworkservices option, an adversary can list all network services configured on the system. This information can be crucial for understanding the network environment of the target system and identifying potential avenues for network-based attacks or further exploitation.
|
user@macos:~$ sudo networksetup -listallnetworkservices An asterisk (*) denotes that a network service is disabled. Wi-Fi Thunderbolt Bridge *Hotspot Shield VPN |
In this example, the command lists available network services like Wi-Fi and Thunderbolt Bridge, and indicates that "Hotspot Shield VPN" is disabled. This knowledge can help an attacker understand the network setup and potentially identify less secure or disabled network services that can be exploited.
On the other hand, the networksetup -getinfo command is another powerful tool in macOS that can be used by adversaries to gather detailed network configuration information. When used with a specific network service like Wi-Fi, it can reveal various settings and parameters.
|
user@macos:~$ sudo networksetup -getinfo Wi-Fi |
In this output, the command provides critical network information such as the IP address, subnet mask, router address, and the Wi-Fi interface's MAC address. This data can be valuable for an adversary in understanding the network layout, identifying potential internal network targets, and planning further network-based attacks or intrusions.
5. Built-in Linux Functions
On compromised Linux hosts, adversaries can run built-in commands or create tools that leverage these command-line utilities to gain system-related information.
|
Function Name |
What It Gathers |
|
uname |
Name and information about the Linux kernel. |
|
sysinfo |
Memory statistics and swap space usage. |
|
statvfs |
Statistics for the filesystem, including the current working directory. |
|
if_nameindex |
Network interface names. |
For instance, In a real-world scenario disclosed in November 2023, exploiting the PHPUnit vulnerability (identified as CVE-2017-9841) allowed attackers to open a reverse shell on port 1337 of the targeted system. This vulnerability was notably exploited by the Kinsing malware, which then utilized this access to run reconnaissance commands such as 'uname -a' and 'passwd' [5].
API Calls Used to Collect System Information for IaaS
Infrastructure-as-a-Service (IaaS) providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), offer APIs that allow users to retrieve information about the instances in their cloud infrastructure.
1. Describe-instance-information (AWS)
The DescribeInstanceInformation action is part of the Amazon EC2 Systems Manager API in AWS. It allows you to retrieve information about your Amazon EC2 instances and on-premises servers that are registered with Systems Manager. To call the DescribeInstanceInformation action, adversaries can use the AWS Command Line Interface (CLI) or the Systems Manager API. Here is an example of how adversaries call the action using the AWS CLI:
|
aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=i-12345678 |
This command will retrieve information about the instance with the ID i-12345678. You can also specify multiple instances by providing a list of instance IDs in the valueSet parameter.
Here is an example of the JSON response that the DescribeInstanceInformation action might return:
|
{ |
2. Virtual Machine - Get (Azure)
Adversaries can use the Get request to retrieve information about a VM in Microsoft Azure. The Get request can be made using the Azure REST API, Azure PowerShell cmdlets, or Azure CLI. Using the Get request, attackers can retrieve a wide range of information about the VM, including its resource group, location, size, status, and more.
Adversaries can send an HTTP GET request to the Azure Management REST API. The request should be made to the following URL:
|
hxxps://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version={apiVersion} |
Where:
- subscriptionId is the ID of the subscription that the VM belongs to.
- resourceGroupName is the name of the resource group that the VM belongs to.
- vmName is the name of the VM you want to retrieve information about.
- apiVersion is the version of the Azure Management REST API you want to use.
The request should include an Authorization header with a Bearer token that authenticates the request. Here is a minimized example of the JSON response that the Azure Management REST API might return when you send a GET request to retrieve information about a VM:
|
{"id":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}","name":"{vmName}","type":"Microsoft.Compute/virtualMachines","location":"EastUS","properties":{"vmId":"{vmId}","hardwareProfile":{"vmSize":"Standard_D1_v2"},"storageProfile":{"imageReference":{"publisher":"Canonical","offer":"UbuntuServer","sku":"18.04-LTS","version":"latest"},"osDisk":{"name":"{vmName}-osdisk","caching":"ReadWrite","createOption":"FromImage","diskSizeGB":30,"managedDisk":{"storageAccountType":"Standard_LRS"}}},"osProfile":{"computerName":"{vmName}","adminUsername":"azureuser","linuxConfiguration":{"disablePasswordAuthentication":true,"ssh":{"publicKeys":[{"path":"/home/azureuser/.ssh/authorized_keys","keyData":"{ssh-public-key}"}]}}},"networkProfile":{"networkInterfaces":[{"id":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{vmName}-nic","properties":{"primary":true}}]},"provisioningState":"Succeeded"}} |
3. instances.get (GCP)
The instances.get method in Google Cloud Platform (GCP) is used to retrieve information about a specific Compute Engine virtual machine instance. It is a part of the Compute Engine API, which allows you to create and manage virtual machine instances on Google's infrastructure.
To use the instances.get method; you need to provide the name of the instance that you want to retrieve information about, as well as the project and zone in which it is located. You can also specify additional parameters to customize the request.
Here is an example of how to use the instances.get method in the Google Cloud Platform API:
|
gcloud compute instances get [INSTANCE_NAME] \ |
Here is an example of the minimized JSON response that the instances.get method might return:
|
{"id":"1234567890","creationTimestamp":"2023-01-01T12:34:56.789Z","name":"my-instance","zone":"projects/my-project/zones/us-central1-a","machineType":"projects/my-project/machineTypes/n1-standard-1","status":"RUNNING","disks":[{"deviceName":"my-instance","index":0,"type":"PERSISTENT","mode":"READ_WRITE","boot":true,"autoDelete":true,"initializeParams":{"sourceImage":"projects/debian-cloud/global/images/family/debian-9","diskSizeGb":"10","diskType":"projects/my-project/zones/us-central1-a/diskTypes/pd-standard"},"diskSizeGb":"10","licenses":["projects/my-project/global/licenses/windows-server"],"interface":"SCSI","source":"projects/my-project/zones/us-central1-a/disks/my-instance","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"}]}],"canIpForward":false,"networkInterfaces":[{"network":"global/networks/default","subnetwork":"projects/my-project/regions/us-central1/subnetworks/default","accessConfigs":[{"name":"External NAT","type":"ONE_TO_ONE_NAT","natIP":"1.2.3.4"}],"aliasIpRanges":[],"networkIP":"10.128.0.2"}],"description":"My instance","labels":{"env":"prod"},"scheduling":{"preemptible":false,"onHostMaintenance":"MIGRATE","automaticRestart":true},"deletionProtection":false,"reservationAffinity":{"consumeReservationType":"ANY_RESERVATION"} |
References
[1] H. C. Yuceel, “Volt Typhoon: The Chinese APT Group Abuse LOLBins for Cyber Espionage,” Jun. 01, 2023. https://www.picussecurity.com/resource/blog/volt-typhoon-the-chinese-apt-group-abuse-lolbins-for-cyber-espionage
[2] Joe Security LLC, “Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox,” Joe Security LLC. https://www.joesandbox.com/analysis/776315/0/html
[3] “The Spies Who Loved You: Infected USB Drives to Steal Secrets,” Mandiant, Oct. 03, 2021. https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
[4] “Find your Mac model name and serial number,” Apple Support. https://support.apple.com/en-by/102767
[5] B. Toulas, “Hackers exploit Looney Tunables Linux bug, steal cloud creds,” BleepingComputer, Nov. 06, 2023. https://www.bleepingcomputer.com/news/security/hackers-exploit-looney-tunables-linux-bug-steal-cloud-creds/
