Skip to content

Latest commit

 

History

History
262 lines (120 loc) · 6.45 KB

T1082.md

File metadata and controls

262 lines (120 loc) · 6.45 KB
Raw

T1082 - System Information Discovery

Description from ATT&CK

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Windows

Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories.

Mac

On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.

AWS

In Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual machines, software, and software dependencies running.(Citation: Amazon System Discovery)

GCP

On Google Cloud Platform (GCP) GET /v1beta1/{parent=organizations/}/assets or POST /v1beta1/{parent=organizations/}/assets:runDiscovery may be used to list an organizations cloud assets, or perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard)

Azure

In Azure, the API request GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01 may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal Machine API)

Atomic Tests


Atomic Test #1 - System Information Discovery

Identify System Info. Upon execution, system info and time info will be displayed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum


Atomic Test #2 - System Information Discovery

Identify System Info

Supported Platforms: macOS

Attack Commands: Run with sh!

system_profiler
ls -al /Applications


Atomic Test #3 - List OS Information

Identify System Info

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
output_file Output file used to store the results. path /tmp/T1082.txt

Attack Commands: Run with sh!

uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi;
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi;      
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi;
uptime >> #{output_file}
cat #{output_file} 2>/dev/null

Cleanup Commands:

rm #{output_file} 2>/dev/null


Atomic Test #4 - Linux VM Check via Hardware

Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.

Supported Platforms: Linux

Attack Commands: Run with bash!

if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi;
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi;
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi;
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi;
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi;
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"


Atomic Test #5 - Linux VM Check via Kernel Modules

Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.

Supported Platforms: Linux

Attack Commands: Run with bash!

sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"


Atomic Test #6 - Hostname Discovery (Windows)

Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

hostname


Atomic Test #7 - Hostname Discovery

Identify system hostname for Linux and macOS systems.

Supported Platforms: Linux, macOS

Attack Commands: Run with bash!

hostname


Atomic Test #8 - Windows MachineGUID Discovery

Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid