Technique on mitre.org

T1082: System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version). System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

solaris_suspicious_network_activity: PT-CR-546: Solaris_Detect_Local_Automatic_Recon_By_WWW_User: Local reconnaissance of an operating system is detected solaris_suspicious_network_activity: PT-CR-547: Solaris_Detect_Local_Manual_Recon_By_WWW_User: Local reconnaissance of an operating system is detected unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. unix_mitre_attck_discovery: PT-CR-1690: Unix_System_Information_Discovery: Information about a Unix host system was received mssql_database: PT-CR-416: MSSQL_File_System_Discovery: An attempt to get information from the file system using a database hashicorp: PT-CR-2141: Hashicorp_Vault_Infrastructure_Discovery: Attackers can perform reconnaissance of the system infrastructure to determine possible further actions mitre_attck_discovery: PT-CR-332: System_Information_Discovery: An attempt to retrieve information about the versions of system, applications, and enabled components is detected mitre_attck_discovery: PT-CR-1014: USB_Tokens_Discovery: An attempt to obtain information about connected tokens or keys stored in the registry mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host sap_suspicious_user_activity: PT-CR-244: SAPASABAP_GW_Reginfo_Denied_Server: Registration of an external program is not allowed sap_suspicious_user_activity: PT-CR-246: SAPASABAP_GW_Secinfo_Denied: An external program is not allowed to run clickhouse: PT-CR-1569: ClickHouse_DBMS_Version_Discovery: An attempt to receive information about the DBMS version is detected clickhouse: PT-CR-1583: ClickHouse_System_Info_Discovery: An attempt to receive information about a server or DBMS is detected active_directory_attacks: PT-CR-2125: Untrusted_Terminal_Server_Activity: Untrusted terminal server commands were used hacking_tools: PT-CR-2244: SOAPHound_Usage: SOAPHound was used, which is a tool that collects Active Directory data via the Active Directory Web Services (ADWS) protocol hacking_tools: PT-CR-2017: SharpHound_LDAP_Requests: Detecting the launch of the SharpHound (BloodHound) tool using one of the methods - ObjectProps, ACL, Trusts, Container.ObjectProps - performs Object Properties collection for properties such as LastLogon or PwdLastSet; ACL - collects abusable permissions on objects in Active Directory; Trusts - collects domain trusts; Container - collects OU tree structure and Group Policy links hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started postgresql_database: PT-CR-2335: PostgreSQL_Func_Discovery: Getting the code of all functions via pg_proc as an intelligence element postgresql_database: PT-CR-2336: PostgreSQL_SecDef_Function_PrivEsc: Creating and searching Security Definers as a potential privilege escalation element

Detection

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.