T1082 · discovery · 54 actors · 11 correlated reports

System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version). System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment. Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, Network Device CLI commands may also be used to gather detailed system information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

Observed actors

Correlated CTI and IR reports

APT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mention APT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mention ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mention Attack Playbook — Operation DragonRx
1200km CTI repository · explicit report mention Executive Summary
Israel Threat Actors CTI · explicit report mention Operation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mention Operation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mention APT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mention ATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention Attack Playbook Operation DragonRx
1200km Medium · authored report mention Operation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research