atomic-red-team/atomics/T1082/T1082.md

T1082 - System Information Discovery

Description from ATT&CK

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Windows

Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories.

Mac

On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.

AWS

In Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual machines, software, and software dependencies running.(Citation: Amazon System Discovery)

GCP

On Google Cloud Platform (GCP) GET /v1beta1/{parent=organizations/}/assets or POST /v1beta1/{parent=organizations/}/assets:runDiscovery may be used to list an organizations cloud assets, or perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard)

Azure

In Azure, the API request GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01 may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal Machine API)

Atomic Tests

• Atomic Test #1 - System Information Discovery

• Atomic Test #2 - System Information Discovery

• Atomic Test #3 - List OS Information

• Atomic Test #4 - Linux VM Check via Hardware

• Atomic Test #5 - Linux VM Check via Kernel Modules

Atomic Test #1 - System Information Discovery

Identify System Info

Supported Platforms: Windows

Run it with command_prompt!

systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

Atomic Test #2 - System Information Discovery

Identify System Info

Supported Platforms: Linux, macOS

Run it with sh!

systemsetup
system_profiler
ls -al /Applications

Atomic Test #3 - List OS Information

Identify System Info

Supported Platforms: Linux, macOS

Run it with sh!

uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt

Atomic Test #4 - Linux VM Check via Hardware

Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.

Supported Platforms: Linux

Run it with bash!

cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"

Atomic Test #5 - Linux VM Check via Kernel Modules

Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.

Supported Platforms: Linux

Run it with bash!

sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"