System Information Discovery

Information

• Name: System Information Discovery

• ID: T1082

• Tactics: TA0007

Introduction

System Information Discovery (Technique ID: T1082) is a reconnaissance technique categorized under the MITRE ATT&CK framework's Discovery tactic. Attackers leverage this technique to gather detailed information about the target system, including hardware specifications, operating system details, software configurations, and network environment. This information is critical for attackers to plan subsequent attack phases, identify vulnerabilities, and tailor their approach to evade detection and maximize exploitation effectiveness.

Deep Dive Into Technique

System Information Discovery involves collecting detailed information about a target system's hardware, software, operating system, and network details. Attackers typically execute commands or use built-in utilities and scripts to enumerate system attributes.

Common execution methods include:

• Built-in Operating System Commands and Utilities:

  • Windows:

    • systeminfo — Provides detailed OS version, patches, hardware, and network details.

    • hostname — Reveals the system's hostname.

    • ipconfig /all — Shows detailed network adapter configurations.

    • wmic commands — Enumerates hardware, software, and system configurations.

    • tasklist — Lists running processes and services.

    • PowerShell commands such as Get-ComputerInfo, Get-Process, and Get-Service.

  • Linux/Unix:

    • uname -a — Displays kernel and OS information.

    • hostnamectl — Shows hostname and OS details on modern Linux distributions.

    • lscpu, lsblk, lsusb, lspci — Enumerates hardware devices and configurations.

    • ifconfig or ip addr — Provides network interface details.

    • ps aux — Lists running processes and services.

    • /proc filesystem exploration — Provides granular system information.

• Third-party Tools and Malware:

  • Custom scripts (batch, PowerShell, bash, Python) to automate enumeration.

  • Malware frameworks (e.g., Cobalt Strike, Empire, Metasploit) with built-in system enumeration modules.

  • Remote access tools (RATs) that automate system information gathering upon infection.

Attackers typically leverage this technique early in the intrusion process to gain situational awareness, identify vulnerabilities, and customize follow-up attacks.

When this Technique is Usually Used

System Information Discovery is usually employed by attackers in various stages and scenarios, primarily:

• Initial Reconnaissance and Enumeration:

  • After initial compromise (post-exploitation) to map the compromised environment.

  • To identify potential lateral movement targets or valuable data sources.

• Privilege Escalation and Persistence:

  • Gathering system information to identify vulnerabilities or misconfigurations for privilege escalation.

  • Identifying installed software and versions to determine exploitability.

• Lateral Movement:

  • Enumerating connected systems and network configurations to identify lateral movement pathways.

  • Discovering additional vulnerable systems or services within the internal network.

• Exfiltration Planning:

  • Understanding system resources, network bandwidth, and security controls to optimize data exfiltration strategies.

• Maintaining Stealth and Persistence:

  • Identifying security tools, endpoint detection software, and logging mechanisms to evade detection and maintain persistence.

How this Technique is Usually Detected

Detection of System Information Discovery activity involves monitoring and analyzing system logs, command execution history, and endpoint telemetry. Common detection methods and indicators include:

• Endpoint Detection and Response (EDR) Tools:

  • Monitoring for suspicious or unusual command executions (e.g., frequent use of systeminfo, wmic, uname, hostnamectl).

  • Identifying anomalous scripts or processes executing enumeration commands.

• System and Security Logs Analysis:

  • Windows Event Logs (Security, System, PowerShell Operational logs) for suspicious command usage.

  • Linux audit logs (auditd) capturing execution of enumeration commands.

• Network Monitoring and Intrusion Detection Systems (IDS):

  • Identifying unusual outbound network traffic patterns indicative of exfiltration attempts after enumeration.

• Behavioral Analytics and UEBA (User and Entity Behavior Analytics):

  • Detecting abnormal user or system behavior, such as executing enumeration commands outside normal administrative routines.

• Specific Indicators of Compromise (IoCs):

  • Unusual execution of commands like systeminfo, wmic, ipconfig /all, uname -a, or enumeration scripts.

  • Unexpected creation or execution of scripts or binaries designed to gather system information.

  • Anomalous process spawning (e.g., PowerShell spawning from unexpected parent processes).

  • Presence of enumeration tools or scripts in temporary directories or unusual file paths.

Why it is Important to Detect This Technique

Early detection of System Information Discovery is critical due to its role in enabling adversaries to progress through subsequent attack stages. Importance includes:

• Preventing Privilege Escalation:

  • Early detection can prevent attackers from identifying vulnerabilities or misconfigurations needed for privilege escalation.

• Reducing Attack Surface:

  • Identifying enumeration activities allows defenders to proactively patch vulnerable systems and secure sensitive configurations.

• Limiting Lateral Movement:

  • Detecting enumeration activities early helps prevent attackers from mapping internal networks and identifying additional targets.

• Minimizing Data Exfiltration Risks:

  • Early detection and response limit the attacker's ability to plan and execute data exfiltration strategies.

• Strengthening Security Posture:

  • Continuous monitoring and detection of enumeration activities enable security teams to improve system hardening, security configurations, and incident response strategies.

Examples

Real-world examples of System Information Discovery include:

• APT Groups and Nation-State Actors:

  • APT29 (Cozy Bear): Known to use PowerShell scripts and built-in Windows utilities (systeminfo, tasklist) to enumerate system information during initial compromise and lateral movement phases.

  • APT32 (OceanLotus): Utilizes custom scripts and command-line utilities (wmic, ipconfig) to gather detailed system and network information for further exploitation.

• Ransomware Operators:

  • Ryuk Ransomware: Attackers leverage built-in enumeration tools (wmic, PowerShell scripts) to gather system and domain information, identify backup systems, and plan destructive ransomware deployment.

• Cybercriminal Campaigns:

  • TrickBot Malware: Employs system enumeration modules to collect detailed OS, hardware, and software data, enabling attackers to identify vulnerable systems and escalate privileges.

  • Emotet Malware: Uses reconnaissance modules to enumerate system information, installed software, and network details, facilitating lateral movement and secondary payload deployments.

• Penetration Testing and Red Teaming Tools:

  • Cobalt Strike Framework: Contains built-in system enumeration commands (systeminfo, net user, wmic) used in penetration tests and real-world attacks to identify vulnerabilities and potential attack vectors.

  • Metasploit Framework: Offers modules such as post/windows/gather/enum_system and post/linux/gather/enum_system to automate system information gathering during penetration tests.

In these real-world scenarios, attackers use system enumeration as a foundational step to enable deeper compromise, lateral movement, privilege escalation, and targeted attacks, highlighting the importance of robust detection and response mechanisms.