Applied Cybernetics Group
T1082 — System Information Discovery
- Technique
T1082- Tactics
- Discovery
- MISP citations
- 0
- KEV CVEs mapped
- 7
- Community rules
- 33
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1082
MITRE description
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from [Local Storage Discovery](https://attack.mitre.org/techniques/T1680) which is an adversary's discovery of local drive, disks and/or volumes. Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. Adversaries may leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get` and `system version get`.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis) Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- CMD Shell Output Redirect (threat-hunting)
- System Information Discovery Via Wmic.EXE (threat-hunting)
- Bitbucket User Details Export Attempt Detected (core)
- Bitbucket User Permissions Export Attempt (core)
- System Information Discovery - Auditd (core)
- System and Hardware Information Discovery (core)
- System Info Discovery via Sysinfo Syscall (core)
- OS Architecture Discovery Via Grep (core)
- Potential GobRAT File Discovery Via Grep (core)
- Container Residence Discovery Via Proc Virtual FS (core)
- Docker Container Discovery Via Dockerenv Listing (core)
- Potential Container Discovery Via Inodes Listing (core)
- System Information Discovery (core)
- System Information Discovery Using Ioreg (core)
- System Information Discovery Using sw_vers (core)
- System Information Discovery Via Sysctl - MacOS (core)
- System Information Discovery Using System_Profiler (core)
- Cisco Discovery (core)
- HackTool - WinPwn Execution - ScriptBlock (core)
- System Information Discovery via Registry Queries (core)
- Suspicious Kernel Dump Using Dtrace (core)
- HackTool - PCHunter Execution (core)
- HackTool - winPEAS Execution (core)
- HackTool - WinPwn Execution (core)
- Suspicious Execution of Hostname (core)
Showing 25 of 33 community rules —
the full set is tagged attack.t1082 in
SigmaHQ.