An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS
systemsetup
command, but it requires administrative privileges.Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
-
Atomic Test #10 - Environment variables discovery on windows
-
Atomic Test #11 - Environment variables discovery on macos and linux
Identify System Info. Upon execution, system info and time info will be displayed.
Supported Platforms: Windows
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
Identify System Info
Supported Platforms: macOS
system_profiler
ls -al /Applications
Identify System Info
Supported Platforms: Linux, macOS
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Output file used to store the results. | path | /tmp/T1082.txt |
uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi;
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi;
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi;
uptime >> #{output_file}
cat #{output_file} 2>/dev/null
rm #{output_file} 2>/dev/null
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi;
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi;
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi;
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi;
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi;
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi;
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi;
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
Supported Platforms: Windows
hostname
Identify system hostname for Linux and macOS systems.
Supported Platforms: Linux, macOS
hostname
Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
Supported Platforms: Windows
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool.
This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d),
and it gives the exact same recon behavior as the original (minus the C2 interaction).
For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
vbscript | Path to sample script | String | PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs |
cscript #{vbscript}
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
Supported Platforms: Windows
set
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
Supported Platforms: macOS, Linux
env