CircleCI Atomic Red Team doc generator
8.2 KiB
T1082 - System Information Discovery
Description from ATT&CK
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS
systemsetupcommand, but it requires administrative privileges.Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
Atomic Tests
-
Atomic Test #10 - Environment variables discovery on windows
-
Atomic Test #11 - Environment variables discovery on macos and linux
Atomic Test #1 - System Information Discovery
Identify System Info. Upon execution, system info and time info will be displayed.
Supported Platforms: Windows
auto_generated_guid: 66703791-c902-4560-8770-42b8a91f7667
Attack Commands: Run with command_prompt!
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
Atomic Test #2 - System Information Discovery
Identify System Info
Supported Platforms: macOS
auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6
Attack Commands: Run with sh!
system_profiler
ls -al /Applications
Atomic Test #3 - List OS Information
Identify System Info
Supported Platforms: Linux, macOS
auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file used to store the results. | Path | /tmp/T1082.txt |
Attack Commands: Run with sh!
uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi;
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi;
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi;
uptime >> #{output_file}
cat #{output_file} 2>/dev/null
Cleanup Commands:
rm #{output_file} 2>/dev/null
Atomic Test #4 - Linux VM Check via Hardware
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec
Attack Commands: Run with bash!
if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi;
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi;
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi;
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi;
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi;
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi;
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi;
Atomic Test #5 - Linux VM Check via Kernel Modules
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
auto_generated_guid: 8057d484-0fae-49a4-8302-4812c4f1e64e
Attack Commands: Run with bash!
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
Atomic Test #6 - Hostname Discovery (Windows)
Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
Supported Platforms: Windows
auto_generated_guid: 85cfbf23-4a1e-4342-8792-007e004b975f
Attack Commands: Run with command_prompt!
hostname
Atomic Test #7 - Hostname Discovery
Identify system hostname for Linux and macOS systems.
Supported Platforms: Linux, macOS
auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133
Attack Commands: Run with bash!
hostname
Atomic Test #8 - Windows MachineGUID Discovery
Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
Supported Platforms: Windows
auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8
Attack Commands: Run with command_prompt!
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
Atomic Test #9 - Griffon Recon
This script emulates the reconnaissance script seen in used by Griffon and was modified by security researcher Kirk Sayre
in order simply print the recon results to the screen as opposed to exfiltrating them. Script.
For more information see also https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/
Supported Platforms: Windows
auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vbscript | Path to sample script | String | PathToAtomicsFolder\T1082\src\griffon_recon.vbs |
Attack Commands: Run with powershell!
cscript #{vbscript}
Atomic Test #10 - Environment variables discovery on windows
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
Supported Platforms: Windows
auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
Attack Commands: Run with command_prompt!
set
Atomic Test #11 - Environment variables discovery on macos and linux
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
Supported Platforms: macOS, Linux
auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720
Attack Commands: Run with sh!
env