System Information Discovery¶

What: System Information Discovery¶

System Information Discovery refers to a technique used by attackers to gather information about the operating system and hardware configurations on a targeted system. This is categorized under the "Discovery" phase in the MITRE ATT&CK framework, specifically identified as T1082. The goal is to acquire data that might help attackers gain deeper access, understand security measures in place, and tailor further attacks to fit the specific environment.

How: Techniques and Methods¶

1. Command-Line Tools: Attackers often use built-in command-line tools to extract system information. For example:

2. On Windows, commands like systeminfo, ipconfig /all, netstat -an, and tasklist are commonly used.

3. On Linux, commands like uname -a, lscpu, ifconfig, ps aux, and others provide detailed insights into the system.

4. Scripting: Scripts (PowerShell on Windows, Bash on Linux) are used to automate the collection of comprehensive system details.

5. API Calls: Direct API calls can be made to gather system information programmatically, such as using Windows API functions like GetSystemInfo.

6. Third-Party Software: Tools such as Sysinternals or custom malware can be employed to extract detailed system information without triggering standard security alerts.

7. Network Scanning and Enumeration: Techniques involve scanning network interfaces and services running on devices connected to the same network.

Where: Application Contexts¶

• Local System: Directly executed on a target machine where an attacker has already gained access.
• Remote System: Executed remotely using tools that interact with exposed services or vulnerabilities.
• Cloud Environments: Specialized commands and APIs designed for cloud platforms (AWS CLI, Azure CLI) can be used for discovering details about virtual instances and related configurations.

Why: Strategic Importance¶

1. Customizing Attacks: Knowledge of system configurations allows attackers to develop or use tailored exploits that have higher chances of success based on known vulnerabilities specific to particular systems or software versions.

2. Privilege Escalation: Understanding what security measures are in place (e.g., antivirus types, firewall settings) enables attackers to devise strategies for escalating their privileges within the system without detection.

3. Lateral Movement Preparation: Gathering details about network topologies and connected systems aids in planning lateral movements within a network, identifying potential high-value targets (like servers containing sensitive data).

4. Avoiding Detection: By understanding logging and monitoring mechanisms installed on the target systems, attackers can manipulate or evade these systems during their activities.

In summary, "System Information Discovery" is a foundational step in sophisticated cyberattacks providing critical intelligence for subsequent exploitation stages. It involves various methods ranging from simple command execution to complex scripting aimed at extracting maximum actionable data from targeted environments.