T1082

System Information Discovery

System Information Discovery (T1082) is a MITRE ATT&CK technique associated with Discovery . An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Technique ID: T1082
Difficulty: Intermediate
Tactics: Discovery
Platforms: ESXiIaaSLinuxmacOSNetwork DevicesWindows

Executive Summary

System Information Discovery (T1082) is a MITRE ATT&CK technique associated with Discovery. An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Why Attackers Use It

Attackers use System Information Discovery because it provides a reliable way to advance their objective within the Discovery tactic, often with a favorable balance of impact versus detectability on ESXi, IaaS, Linux, macOS, Network Devices, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. Adversaries may leverage a Network Device CLI on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as system hostname get and system version get.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)

System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes System Information Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, IaaS, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents System Information Discovery. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with System Information Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001
T1001.001
T1001.002
T1001.003
T1003
T1005
T1007
T1008
T1010
T1012
T1014
T1016
T1016.001
T1016.002
T1018
T1020
T1021.001
T1021.002
T1027
T1027.001
T1027.002
T1027.003
T1027.008
T1027.009
T1027.010
T1027.011
T1027.013
T1027.015
T1027.016
T1029
T1030
T1033
T1036
T1036.001
T1036.003
T1036.004
T1036.005
T1036.008
T1037
T1037.004
T1041
T1046
T1047
T1048
T1048.002
T1048.003
T1049
T1053.002
T1053.003
T1053.005
T1055
T1055.001
T1055.002
T1055.004
T1055.012
T1056
T1056.001
T1056.002
T1056.003
T1056.004
T1057
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.005
T1059.006
T1059.007
T1068
T1069
T1069.001
T1069.002
T1070
T1070.003
T1070.004
T1070.006
T1070.008
T1070.009
T1071
T1071.001
T1071.002
T1071.003
T1071.004
T1074
T1074.001
T1078.003
T1083
T1087
T1087.001
T1087.002
T1087.003
T1090
T1090.001
T1090.003
T1091
T1095
T1098.004
T1102
T1102.001
T1102.002
T1102.003
T1104
T1105
T1106
T1111
T1112
T1113
T1115
T1119
T1120
T1123
T1124
T1125
T1127.001
T1129
T1132.001
T1132.002
T1134
T1134.001
T1134.002
T1134.004
T1135
T1136.001
T1137.001
T1140
T1176.001
T1185
T1189
T1190
T1195
T1195.001
T1195.002
T1197
T1203
T1204.001
T1204.002
T1213
T1213.003
T1217
T1218.004
T1218.005
T1218.007
T1218.010
T1218.011
T1219
T1221
T1222.001
T1222.002
T1480
T1480.001
T1480.002
T1482
T1484.001
T1485
T1491.001
T1496.001
T1497
T1497.001
T1497.002
T1497.003
T1498
T1518
T1518.001
T1528
T1529
T1539
T1543
T1543.001
T1543.002
T1543.003
T1543.004
T1546
T1546.003
T1546.004
T1546.016
T1547
T1547.001
T1547.004
T1547.006
T1547.008
T1547.009
T1547.012
T1547.013
T1548.002
T1552
T1552.001
T1552.002
T1552.004
T1552.005
T1553.001
T1553.002
T1554
T1555
T1555.001
T1555.003
T1555.004
T1559
T1559.001
T1559.002
T1560
T1560.001
T1560.002
T1561.001
T1561.002
T1564
T1564.001
T1564.003
T1564.004
T1564.006
T1564.011
T1565.002
T1566.001
T1566.002
T1567
T1568.001
T1568.002
T1569.001
T1569.002
T1571
T1573
T1573.001
T1573.002
T1574
T1574.001
T1574.006
T1574.012
T1583.003
T1583.004
T1584.001
T1584.004
T1584.006
T1584.008
T1585.001
T1585.002
T1587.001
T1588.007
T1595.002
T1598
T1598.002
T1598.003
T1614
T1614.001
T1615
T1620
T1622
T1647
T1652
T1653
T1654
T1657
T1678
T1679
T1680
T1685
T1685.005
T1686
T1686.003

T1001Data Obfuscation T1001.001Junk Data T1001.002Steganography T1001.003Protocol or Service Impersonation T1003OS Credential Dumping T1005Data from Local System T1007System Service Discovery T1008Fallback Channels T1010Application Window Discovery T1012Query Registry T1014Rootkit T1016System Network Configuration Discovery T1016.001Internet Connection Discovery T1016.002Wi-Fi Discovery T1018Remote System Discovery T1020Automated Exfiltration T1021.001Remote Desktop Protocol T1021.002SMB/Windows Admin Shares T1027Obfuscated Files or Information T1027.001Binary Padding T1027.002Software Packing T1027.003Steganography T1027.008Stripped Payloads T1027.009Embedded Payloads T1027.010Command Obfuscation T1027.011Fileless Storage T1027.013Encrypted/Encoded File T1027.015Compression T1027.016Junk Code Insertion T1029Scheduled Transfer T1030Data Transfer Size Limits T1033System Owner/User Discovery T1036Masquerading T1036.001Invalid Code Signature T1036.003Rename Legitimate Utilities T1036.004Masquerade Task or Service T1036.005Match Legitimate Resource Name or Location T1036.008Masquerade File Type T1037Boot or Logon Initialization Scripts T1037.004RC Scripts T1041Exfiltration Over C2 Channel T1046Network Service Discovery T1047Windows Management Instrumentation T1048Exfiltration Over Alternative Protocol T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003Exfiltration Over Unencrypted Non-C2 Protocol T1049System Network Connections Discovery T1053.002At T1053.003Cron T1053.005Scheduled Task T1055Process Injection T1055.001Dynamic-link Library Injection T1055.002Portable Executable Injection T1055.004Asynchronous Procedure Call T1055.012Process Hollowing T1056Input Capture T1056.001Keylogging T1056.002GUI Input Capture T1056.003Web Portal Capture T1056.004Credential API Hooking T1057Process Discovery T1059Command and Scripting Interpreter T1059.001PowerShell T1059.002AppleScript T1059.003Windows Command Shell T1059.004Unix Shell T1059.005Visual Basic T1059.006Python T1059.007JavaScript T1068Exploitation for Privilege Escalation T1069Permission Groups Discovery T1069.001Local Groups T1069.002Domain Groups T1070Indicator Removal T1070.003Clear Command History T1070.004File Deletion T1070.006Timestomp T1070.008Clear Mailbox Data T1070.009Clear Persistence T1071Application Layer Protocol T1071.001Web Protocols T1071.002File Transfer Protocols T1071.003Mail Protocols T1071.004DNS T1074Data Staged T1074.001Local Data Staging T1078.003Local Accounts T1083File and Directory Discovery T1087Account Discovery T1087.001Local Account T1087.002Domain Account T1087.003Email Account T1090Proxy T1090.001Internal Proxy T1090.003Multi-hop Proxy T1091Replication Through Removable Media T1095Non-Application Layer Protocol T1098.004SSH Authorized Keys T1102Web Service T1102.001Dead Drop Resolver T1102.002Bidirectional Communication T1102.003One-Way Communication T1104Multi-Stage Channels T1105Ingress Tool Transfer T1106Native API T1111Multi-Factor Authentication Interception T1112Modify Registry T1113Screen Capture T1115Clipboard Data T1119Automated Collection T1120Peripheral Device Discovery T1123Audio Capture T1124System Time Discovery T1125Video Capture T1127.001MSBuild T1129Shared Modules T1132.001Standard Encoding T1132.002Non-Standard Encoding T1134Access Token Manipulation T1134.001Token Impersonation/Theft T1134.002Create Process with Token T1134.004Parent PID Spoofing T1135Network Share Discovery T1136.001Local Account T1137.001Office Template Macros T1140Deobfuscate/Decode Files or Information T1176.001Browser Extensions T1185Browser Session Hijacking T1189Drive-by Compromise T1190Exploit Public-Facing Application T1195Supply Chain Compromise T1195.001Compromise Software Dependencies and Development Tools T1195.002Compromise Software Supply Chain T1197BITS Jobs T1203Exploitation for Client Execution T1204.001Malicious Link T1204.002Malicious File T1213Data from Information Repositories T1213.003Code Repositories T1217Browser Information Discovery T1218.004InstallUtil T1218.005Mshta T1218.007Msiexec T1218.010Regsvr32 T1218.011Rundll32 T1219Remote Access Tools T1221Template Injection T1222.001Windows Permissions T1222.002Linux and Mac Permissions T1480Execution Guardrails T1480.001Environmental Keying T1480.002Mutual Exclusion T1482Domain Trust Discovery T1484.001Group Policy Modification T1485Data Destruction T1491.001Internal Defacement T1496.001Compute Hijacking T1497Virtualization/Sandbox Evasion T1497.001System Checks T1497.002User Activity Based Checks T1497.003Time Based Checks T1498Network Denial of Service T1518Software Discovery T1518.001Security Software Discovery T1528Steal Application Access Token T1529System Shutdown/Reboot T1539Steal Web Session Cookie T1543Create or Modify System Process T1543.001Launch Agent T1543.002Systemd Service T1543.003Windows Service T1543.004Launch Daemon T1546Event Triggered Execution T1546.003Windows Management Instrumentation Event Subscription T1546.004Unix Shell Configuration Modification T1546.016Installer Packages T1547Boot or Logon Autostart Execution T1547.001Registry Run Keys / Startup Folder T1547.004Winlogon Helper DLL T1547.006Kernel Modules and Extensions T1547.008LSASS Driver T1547.009Shortcut Modification T1547.012Print Processors T1547.013XDG Autostart Entries T1548.002Bypass User Account Control T1552Unsecured Credentials T1552.001Credentials In Files T1552.002Credentials in Registry T1552.004Private Keys T1552.005Cloud Instance Metadata API T1553.001Gatekeeper Bypass T1553.002Code Signing T1554Compromise Host Software Binary T1555Credentials from Password Stores T1555.001Keychain T1555.003Credentials from Web Browsers T1555.004Windows Credential Manager T1559Inter-Process Communication T1559.001Component Object Model T1559.002Dynamic Data Exchange T1560Archive Collected Data T1560.001Archive via Utility T1560.002Archive via Library T1561.001Disk Content Wipe T1561.002Disk Structure Wipe T1564Hide Artifacts T1564.001Hidden Files and Directories T1564.003Hidden Window T1564.004NTFS File Attributes T1564.006Run Virtual Instance T1564.011Ignore Process Interrupts T1565.002Transmitted Data Manipulation T1566.001Spearphishing Attachment T1566.002Spearphishing Link T1567Exfiltration Over Web Service T1568.001Fast Flux DNS T1568.002Domain Generation Algorithms T1569.001Launchctl T1569.002Service Execution T1571Non-Standard Port T1573Encrypted Channel T1573.001Symmetric Cryptography T1573.002Asymmetric Cryptography T1574Hijack Execution Flow T1574.001DLL T1574.006Dynamic Linker Hijacking T1574.012COR_PROFILER T1583.003Virtual Private Server T1583.004Server T1584.001Domains T1584.004Server T1584.006Web Services T1584.008Network Devices T1585.001Social Media Accounts T1585.002Email Accounts T1587.001Malware T1588.007Artificial Intelligence T1595.002Vulnerability Scanning T1598Phishing for Information T1598.002Spearphishing Attachment T1598.003Spearphishing Link T1614System Location Discovery T1614.001System Language Discovery T1615Group Policy Discovery T1620Reflective Code Loading T1622Debugger Evasion T1647Plist File Modification T1652Device Driver Discovery T1653Power Settings T1654Log Enumeration T1657Financial Theft T1678Delay Execution T1679Selective Exclusion T1680Local Storage Discovery T1685Disable or Modify Tools T1685.005Clear Windows Event Logs T1686Disable or Modify System Firewall T1686.003Windows Host Firewall

Loading AttackTrace...

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes System Information Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, IaaS, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with System Information Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001
T1001.001
T1001.002
T1001.003
T1003
T1005
T1007
T1008
T1010
T1012
T1014
T1016
T1016.001
T1016.002
T1018
T1020
T1021.001
T1021.002
T1027
T1027.001
T1027.002
T1027.003
T1027.008
T1027.009
T1027.010
T1027.011
T1027.013
T1027.015
T1027.016
T1029
T1030
T1033
T1036
T1036.001
T1036.003
T1036.004
T1036.005
T1036.008
T1037
T1037.004
T1041
T1046
T1047
T1048
T1048.002
T1048.003
T1049
T1053.002
T1053.003
T1053.005
T1055
T1055.001
T1055.002
T1055.004
T1055.012
T1056
T1056.001
T1056.002
T1056.003
T1056.004
T1057
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.005
T1059.006
T1059.007
T1068
T1069
T1069.001
T1069.002
T1070
T1070.003
T1070.004
T1070.006
T1070.008
T1070.009
T1071
T1071.001
T1071.002
T1071.003
T1071.004
T1074
T1074.001
T1078.003
T1083
T1087
T1087.001
T1087.002
T1087.003
T1090
T1090.001
T1090.003
T1091
T1095
T1098.004
T1102
T1102.001
T1102.002
T1102.003
T1104
T1105
T1106
T1111
T1112
T1113
T1115
T1119
T1120
T1123
T1124
T1125
T1127.001
T1129
T1132.001
T1132.002
T1134
T1134.001
T1134.002
T1134.004
T1135
T1136.001
T1137.001
T1140
T1176.001
T1185
T1189
T1190
T1195
T1195.001
T1195.002
T1197
T1203
T1204.001
T1204.002
T1213
T1213.003
T1217
T1218.004
T1218.005
T1218.007
T1218.010
T1218.011
T1219
T1221
T1222.001
T1222.002
T1480
T1480.001
T1480.002
T1482
T1484.001
T1485
T1491.001
T1496.001
T1497
T1497.001
T1497.002
T1497.003
T1498
T1518
T1518.001
T1528
T1529
T1539
T1543
T1543.001
T1543.002
T1543.003
T1543.004
T1546
T1546.003
T1546.004
T1546.016
T1547
T1547.001
T1547.004
T1547.006
T1547.008
T1547.009
T1547.012
T1547.013
T1548.002
T1552
T1552.001
T1552.002
T1552.004
T1552.005
T1553.001
T1553.002
T1554
T1555
T1555.001
T1555.003
T1555.004
T1559
T1559.001
T1559.002
T1560
T1560.001
T1560.002
T1561.001
T1561.002
T1564
T1564.001
T1564.003
T1564.004
T1564.006
T1564.011
T1565.002
T1566.001
T1566.002
T1567
T1568.001
T1568.002
T1569.001
T1569.002
T1571
T1573
T1573.001
T1573.002
T1574
T1574.001
T1574.006
T1574.012
T1583.003
T1583.004
T1584.001
T1584.004
T1584.006
T1584.008
T1585.001
T1585.002
T1587.001
T1588.007
T1595.002
T1598
T1598.002
T1598.003
T1614
T1614.001
T1615
T1620
T1622
T1647
T1652
T1653
T1654
T1657
T1678
T1679
T1680
T1685
T1685.005
T1686
T1686.003

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques