An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1082 | System Information Discovery |
Comments
CrowdStrike and Intel have co-engineered an Accelerated memory scanning (CAMS) capability based on Intel Threat Detection Technology.
This dynamic solution enhances CrowdStrike Falcon security by detecting cyber threats earlier in the kill chain and in real-time by offloading the Falcon sensor's performance-intensive memory scans from the CPU to the Intel Integrated GPU.
AMS is able to prevent the running of executables masquerading as other files, execution of potentially malicious files, and suspicious behavior patterns from occurring on endpoint systems (e.g., suspicious process, file, API call, etc.).
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2019-1653 | Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability | primary_impact | T1082 | System Information Discovery |
Comments
CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
References
|
| CVE-2020-8195 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | primary_impact | T1082 | System Information Discovery |
Comments
CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2020-8196 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | primary_impact | T1082 | System Information Discovery |
Comments
CVE-2020-8196
is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1082 | System Information Discovery |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2024-23692 | Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability | primary_impact | T1082 | System Information Discovery |
Comments
CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.
References
|
| CVE-2021-40449 | Microsoft Windows Win32k Privilege Escalation Vulnerability | secondary_impact | T1082 | System Information Discovery |
Comments
This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities.
The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.
References
|
| CVE-2023-43770 | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability | secondary_impact | T1082 | System Information Discovery |
Comments
This vulnerability is exploited by an adversary via malicious links embedded in trustworthy websites to infiltrate victim systems. Successful exploitation grants the adversary the ability to execute arbitrary code on the impacted system.
The Russia-aligned hacking group TAG-70 has been attributed to exploiting this vulnerability. TAG-70 has used this vulnerability in an espionage campaign targeting European government and military agencies, as well as Iranian embassies in Russia, aiming to gather intelligence on European political and military activities. The campaign, active from early to mid-October 2023, is part of a broader pattern of Russian state-aligned cyber-espionage targeting email services.
References
|