Description
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.
Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. Adversaries may leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as system hostname get and system version get.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Platforms
Threat Groups (57)
| ID | Group | Context |
|---|---|---|
| G0124 | Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a script to detect which Linux distribution and version is currently installed on the system... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) used various system commands and tools to pull system information during operations.(Citation: FBI ... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>hostname</code> and <code>systeminfo</code> on a victim.(Citation: Palo Alto OilRig May ... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to capture the processor architecture of a compromised host in order to register it... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) uses multiple built-in commands such as <code>systeminfo</code> and `net config Workstation` to enumera... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has collected hardware details for the victim's system, including CPU and memory information... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has collected the hostname of a compromised machine.(Citation: Kaspersky Lyceum October 2021) |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has collected the hostname, OS version, service pack version, and the processor architecture from t... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has collected system information prior to downloading malware on the targeted host.(Citation: Proofpoi... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has collected local host information by utilizing Windows commands `systeminfo`, `fsutil`, and `fsinfo`... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has used uname -m to collect the name and information about the infected system's kernel.(Citation: Ano... |
| G0047 | Gamaredon Group | A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's computer name and drive serial numbers to send to a C2... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) collects the computer name, the BIOS model, and execution path.(Citation: Talos Group123) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has collected the OS version and computer name from victims. One of the group's backdoors can also quer... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has used a reconnaissance module to gather information about the operating system and hardware on t... |
| G0032 | Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families collect information on the type and version of the victim OS, as well ... |
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) collected information about the infected host, including the machine names and OS architecture.(C... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) collected the system GUID and computer name.(Citation: PTSecurity Higaisa 2020)(Citation: Malwarebyte... |
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) deploys information gathering tools focused on capturing IP configuration, running application, system... |
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) collects the machine information, system architecture, the OS version, computer name, and Windows pr... |
Associated Software (353)
| ID | Name | Type | Context |
|---|---|---|---|
| S0339 | Micropsia | Malware | [Micropsia](https://attack.mitre.org/software/S0339) gathers the hostname and OS version from the victim’s machine.(Citation: Talos Micropsia June 201... |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) enumerates the victim operating system and computer name during the initial infection.(Citation: Fide... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) will gather various system information such as domain, display adapter description, operating syst... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can detect whether a system is running FreeBSD, VMkernel (ESXi), Nutanix AHV, or a standard Linux dis... |
| S1249 | HexEval Loader | Malware | [HexEval Loader](https://attack.mitre.org/software/S1249) has identified the OS and MAC address of victim device through host fingerprinting scripting... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has collected OS type, hostname and system version through the "pay" module.(Citation: Esen... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware in... |
| S0553 | MoleNet | Malware | [MoleNet](https://attack.mitre.org/software/S0553) can collect information about the about the system.(Citation: Cybereason Molerats Dec 2020) |
| S0388 | YAHOYAH | Malware | [YAHOYAH](https://attack.mitre.org/software/S0388) checks for the system’s Windows OS version and hostname.(Citation: TrendMicro TropicTrooper 2015) |
| S0464 | SYSCON | Malware | [SYSCON](https://attack.mitre.org/software/S0464) has the ability to use [Systeminfo](https://attack.mitre.org/software/S0096) to identify system info... |
| S0130 | Unknown Logger | Malware | [Unknown Logger](https://attack.mitre.org/software/S0130) can obtain information about the victim computer name, physical memory, country, and date.(C... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can enumerate the OS version and domain on a targeted system.(Citation: Google EXOTIC LILY March ... |
| S0237 | GravityRAT | Malware | [GravityRAT](https://attack.mitre.org/software/S0237) collects the MAC address, computer name, and CPU information.(Citation: Talos GravityRAT) |
| S0211 | Linfo | Malware | [Linfo](https://attack.mitre.org/software/S0211) creates a backdoor through which remote attackers can retrieve system information.(Citation: Symantec... |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can obtain the OS version and build, computer name, and processor architecture from a compromised ho... |
| S0634 | EnvyScout | Malware | [EnvyScout](https://attack.mitre.org/software/S0634) can determine whether the ISO payload was received by a Windows or iOS device.(Citation: MSTIC No... |
| S0674 | CharmPower | Malware | [CharmPower](https://attack.mitre.org/software/S0674) can enumerate the OS version and computer name on a targeted system.(Citation: Check Point APT35... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) collects system information including computer and domain names, OS version, and S7P paths.(Citatio... |
| S0254 | PLAINTEE | Malware | [PLAINTEE](https://attack.mitre.org/software/S0254) collects general system enumeration data about the infected machine and checks the OS version.(Cit... |
| S1234 | SplatCloak | Malware | [SplatCloak](https://attack.mitre.org/software/S1234) has collected the Windows build number using the windows kernel API `RtlGetVersion` to determine... |
References
- Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.
- Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.
- Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
- Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1082 (System Information Discovery)?
T1082 is a MITRE ATT&CK technique named 'System Information Discovery'. It belongs to the Discovery tactic(s). An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this informatio...
How can T1082 be detected?
Detection of T1082 (System Information Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1082?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1082?
Known threat groups using T1082 include: Windigo, BlackByte, OilRig, ZIRCONIUM, APT41, Blue Mockingbird, HEXANE, Darkhotel.