{ "id": "14277447-4098-4c9a-91b9-f481cae10735", "created_at": "2026-04-06T00:16:22.778146Z", "updated_at": "2026-04-10T03:38:09.822737Z", "deleted_at": null, "sha1_hash": "80569e9e576d14e178fd506d9c6efa8c65d0e72e", "title": "MITRE ATT\u0026CK T1082 System Information Discovery", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72026, "plain_text": "MITRE ATT\u0026CK T1082 System Information Discovery\r\nBy Huseyin Can YUCEEL\r\nPublished: 2022-06-09 · Archived: 2026-04-05 18:38:00 UTC\r\nSystem Information Discovery involves collecting details about compromised systems or networks, such as hardware\r\nspecifications, software inventories, and network configurations—often using built-in, native OS tools. \r\nIn the Red Report 2025, this technique ranks seventh among the top ten most prevalent adversarial tactics. Its prominence\r\nhighlights the frequent use of living-off-the-land binaries (LOLBins) and native tools [1], which enable attackers to perform\r\nstealthy reconnaissance while mimicking legitimate activities.\r\nAdversary Use of System Information Discovery\r\nAdversaries leverage system information discovery techniques to collect details about a compromised system. For example,\r\nthey may investigate the operating system version, architecture, and configuration to identify potential vulnerabilities or\r\noptimize their attack strategies. This information is not only valuable for exploit development but also for selecting and\r\nemploying tools specifically designed for the targeted environment.\r\nThe methods used for system information discovery can be categorized into two broad approaches:\r\nSystem Commands for Information Collection: Adversaries utilize built-in system commands to extract details such\r\nas the operating system type, version, hardware specifications, and network configurations.\r\nAPI Calls for Information in Cloud and Virtual Environments: In cloud or virtualized environments, adversaries may\r\nexploit available APIs to gather information about system configurations, infrastructure settings, and deployed\r\nservices.\r\nUnderstanding these techniques helps illuminate the ways adversaries operate across various platforms and highlights the\r\nimportance of monitoring for such activities to safeguard systems and infrastructure.\r\nOS Commands Used to Collect System Information \r\nAs stressed earlier, adversaries often use built-in OS commands to gather system details during reconnaissance. Here are\r\nsome, but not all, OS-native tools commonly used in malware campaigns:\r\nOn Windows, tools like Systeminfo provide comprehensive information about the OS and hardware. \r\nIn macOS, commands such as Systemsetup and system_profiler offer insights into system configurations, while\r\nuname reveals kernel details. \r\nOn Linux, commands like uname, sysinfo and lsb_release are commonly employed to identify the OS and version. \r\nThese platform-specific utilities enable adversaries to efficiently collect information while remaining stealthy.\r\nLet us explain the information gathered by these tools and highlight identified malware samples that leverage them.\r\nsysteminfo (Windows)\r\nSysteminfo is a built-in command-line tool that is included with Windows operating systems. This tool can display detailed\r\ninformation about a system's hardware and software components, including the operating system version, the installed\r\nhotfixes and service packs, and the system architecture. \r\nThe table below shows what information a user can get using the systeminfo tool on Windows machines.\r\nOperating System\r\nConfiguration\r\nOS name/version/manufacturer/configuration/, OS build type, registered owner, registered\r\norganization, original install date, system locale, input locale, product ID, time zone, logon\r\nserver\r\nhttps://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 1 of 8\n\nSecurity\r\nInformation\r\nHotfix(es)\r\nHardware\r\nProperties\r\nRAM, disk space, network cards, processors, total physical memory, available physical\r\nmemory, virtual memory\r\nOther System\r\nInformation\r\nsystem boot time, system manufacturer, system model, system type, BIOS version, windows\r\ndirectory, system directory, boot device\r\nBelow, you will find an example output of the systeminfo tool.\r\nHost Name:                 MYCOMPUTER\r\nOS Name:                   Microsoft Windows 10 Pro\r\nOS Version:                10.0.19044 N/A Build 19044\r\nOS Manufacturer:           Microsoft Corporation\r\nOS Configuration:          Standalone Workstation\r\nOS Build Type:             Multiprocessor Free\r\nRegistered Owner:          John Doe\r\nRegistered Organization:   N/A\r\nProduct ID:                00330-80000-00000-AA825\r\nOriginal Install Date:     6/15/2021, 3:45:10 PM\r\nSystem Boot Time:          12/23/2024, 8:20:30 AM\r\nSystem Manufacturer:       Dell Inc.\r\nSystem Model:              XPS 15 7590\r\nSystem Type:               x64-based PC\r\nProcessor(s):              1 Processor(s) Installed.\r\n                           [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2600 Mhz\r\nBIOS Version:              Dell Inc. 1.10.1, 6/15/2021\r\nWindows Directory:         C:\\Windows\r\nSystem Directory:          C:\\Windows\\system32\r\nBoot Device:               \\Device\\HarddiskVolume1\r\nSystem Locale:             en-us;English (United States)\r\nInput Locale:              en-us;English (United States)\r\nTime Zone:                 (UTC-05:00) Eastern Time (US \u0026 Canada)\r\nTotal Physical Memory:     16,297 MB\r\nAvailable Physical Memory: 8,547 MB\r\nVirtual Memory: Max Size:  32,594 MB\r\nVirtual Memory: Available: 22,324 MB\r\nhttps://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 2 of 8\n\nVirtual Memory: In Use:    10,270 MB\r\nPage File Location(s):     C:\\pagefile.sys\r\nDomain:                    WORKGROUP\r\nLogon Server:              \\\\MYCOMPUTER\r\nHotfix(es):                10 Hotfix(es) Installed.\r\n                           [01]: KB5003173\r\n                           ...\r\n                           [10]: KB5006670\r\nNetwork Card(s):           1 NIC(s) Installed.\r\n                           [01]: Intel(R) Wi-Fi 6 AX201 160MHz\r\n                                 Connection Name: Wi-Fi\r\n                                 DHCP Enabled:    Yes\r\n                                 DHCP Server:     192.168.1.1\r\n                                 IP address(es)\r\n                                 [01]: 192.168.1.100\r\n                                 [02]: fe80::1d1f:3a55:dc77:b800\r\nHyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.\r\nAdversaries commonly use the systeminfo command in the wild. \r\nFor instance, in November 2024, it was reported that the Interlock ransomware attack leveraged a Remote Access Tool\r\n(RAT) to execute the \"systeminfo\" command [2]. This command, run via \"cmd.exe /c systeminfo,\" was used to collect\r\nsystem details from the victim's machine and transmit the gathered information to the attackers' command-and-control\r\nserver.\r\nIn another example highlighted in October 2024, SingleCamper is a key implant used by the UAT-5647 threat group [3]. It\r\nis loaded by ShadyHammock after being read and decoded from the Windows registry. SingleCamper can execute the\r\nfollowing preliminary reconnaissance commands sent by the C2 and respond with the results, such as:\r\nnltest /domain_trusts\r\nsysteminfo\r\nipconfig /all\r\ndir C:\\\"program Files\" C:\\\"Program Files (x86)\" C:\\Users \r\nFinally, in one case reported by Microsoft in May 2024, Moonstone Sleet has been observed distributing malware, such as\r\nthe TrojanDropper:Win64/YouieLoad* (a.k.a data.tmp), via malicious applications like the game DeTankWar [4]. Once\r\nexecuted, this malware can collect system information and relay it back to the attackers.\r\nSHA-256*: 9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1\r\nsystem_profiler (macOS)\r\nThe system_profiler is a command-line utility on macOS that provides detailed information about the hardware and software\r\nconfiguration of a mac device. An adversary who has gained access to a mac host could use this tool to gather information\r\nabout the system, such as the version of the operating system, the model and make of the computer, the type and amount of\r\nmemory installed, and so on. \r\nHere is an example command demonstrating how adversaries can leverage the system_profiler utility [5]. \r\nsystem_profiler SPHardwareDataType SPSoftwareDataType\r\nhttps://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 3 of 8\n\nBy combining these two data types in a single command, an adversary can efficiently collect a comprehensive profile of\r\nboth the hardware and software aspects of the system, which can be critical for planning further malicious activities like\r\ntargeted malware attacks, system exploitation, or data exfiltration.\r\nIn fact, in 2024, there is documented evidence of adversaries using the system_profiler utility on macOS to gather system\r\ninformation during their attacks. For instance, the Cuckoo malware, reported in May 2024, employs the system_profiler\r\ncommand to extract hardware details from infected macOS systems [6]:\r\n10001248c __builtin_strcpy(dest: \u0026systemProfilerCMD, src: \"system_profiler SPHardwareDataTy\\t,\")\r\n100012498 XOR_func(\u0026systemProfilerCMD, 0x23)\r\n1000124a4 char* x0_14 = popenCMD(\u0026systemProfilerCMD, 1)\r\nAdditionally, the Rust-based macOS backdoor analyzed in February 2024 executes the following commands to collect\r\ncomprehensive system information [7], aiding attackers in profiling the compromised machine:\r\nsystem_profiler SPSoftwareDataType SPHardwareDataType\r\nThese instances demonstrate that adversaries actively leverage system_profiler to perform system information\r\ndiscovery, facilitating further malicious activities such as data exfiltration or system exploitation.\r\nsystemsetup (macOS)\r\nThe systemsetup command-line utility in macOS is designed for configuring system settings, such as setting the computer\r\nname, adjusting time zones, and managing network configurations. Threat actors, however, often exploit legitimate utilities\r\nlike this to achieve their objectives—a tactic known as \"Living off the Land.\"\r\nAlthough systemsetup requires root or administrator privileges to execute certain commands, its options and capabilities can\r\nvary depending on the macOS version in use. Commonly, this tool is used for system information discovery or configuration\r\nchanges that could be misused in malicious activities. Examples include:\r\n-gettimezone: It displays the current time zone of the system. \r\nuser@macos:~$ sudo systemsetup -gettimezone\r\nTime Zone: Europe/Istanbul\r\nAdversaries may leverage this option to determine if the system is configured to use the correct time zone. If not, the target\r\nsystem may be more susceptible to certain types of attacks, such as time-based attacks that rely on the system's clock being\r\nout of sync with other systems.\r\nFor instance, in a hypothetical scenario, if an attacker discovers a system clock discrepancy, they could schedule a cron job\r\nto exploit it, potentially aligning the execution of a malicious script with a specific event or trigger. The cron job might look\r\nsomething like this:\r\n0 2 * * * /path/to/malicious/script.sh\r\nThis line in a crontab file would theoretically schedule the script.sh to run at 2:00 AM system time every day. If the system's\r\nclock is incorrectly set, this could trigger the script at an unexpected time, possibly aligning with a time-based security\r\nloophole or during low monitoring periods.\r\n-getcomputername: It displays the current hostname of the system. \r\nuser@macos:~$ sudo systemsetup -getcomputername\r\nComputer Name: John's MacBook Pro\r\nThis option can be used to learn the hostname to determine if the system is configured to use a fully qualified domain name\r\n(FQDN) or a simple hostname. It can also be used to identify potential vulnerabilities in the system's name resolution\r\nconfiguration, such as misconfigured DNS records or a lack of domain name validation. \r\n-getremotelogin: It displays the current status of remote login, which allows users to access the system remotely over the\r\nnetwork\r\nuser@macos:~$ sudo systemsetup -getremotelogin\r\nRemote Login: On\r\nhttps://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 4 of 8\n\nThis option is often leveraged to determine if remote login is enabled on the system, and if this is the case, they may want to\r\nlearn which remote login protocols are supported. Later, adversaries can use this information to gain unauthorized access to\r\nthe system by exploiting vulnerabilities in the remote login protocols. \r\nnetworksetup (macOS)\r\nSystemsetup is not the only built-in tool that adversaries can leverage.\r\nThe networksetup tool in macOS can be used by adversaries for reconnaissance purposes. By using the\r\nlistallnetworkservices option, an adversary can list all network services configured on the system. This information can be\r\ncrucial for understanding the network environment of the target system and identifying potential avenues for network-based\r\nattacks or further exploitation.\r\nuser@macos:~$ sudo networksetup -listallnetworkservices\r\nAn asterisk (*) denotes that a network service is disabled.\r\nWi-Fi\r\nThunderbolt Bridge\r\n*Hotspot Shield VPN\r\nIn this example, the command lists available network services like Wi-Fi and Thunderbolt Bridge, and indicates that\r\n\"Hotspot Shield VPN\" is disabled. This knowledge can help an attacker understand the network setup and potentially\r\nidentify less secure or disabled network services that can be exploited.\r\nOn the other hand, the networksetup -getinfo command is another powerful tool in macOS that can be used by adversaries to\r\ngather detailed network configuration information. When used with a specific network service like Wi-Fi, it can reveal\r\nvarious settings and parameters.\r\nuser@macos:~$ sudo networksetup -getinfo Wi-Fi\r\nDHCP Configuration\r\nIP address: 192.168.1.100\r\nSubnet mask: 255.255.255.0\r\nRouter: 192.168.1.1\r\nClient ID:\r\nWi-Fi ID: 00:1e:65:3b:42:fb\r\nIn this output, the command provides critical network information such as the IP address, subnet mask, router address, and\r\nthe Wi-Fi interface's MAC address. This data can be valuable for an adversary in understanding the network layout,\r\nidentifying potential internal network targets, and planning further network-based attacks or intrusions.\r\nA notable example involves a backdoor reported in February 2024. Written in Rust language, it targets macOS users,\r\nexploiting the networksetup utility to gather detailed information about the victim's machine and its network connections\r\n[7]. This malware executed specific commands to enumerate network services and hardware ports, enabling comprehensive\r\nsystem reconnaissance:\r\nnetworksetup -listallnetworkservices\r\nnetworksetup -listallhardwareports\r\nThe command networksetup -listallnetworkservices was used to list all network services configured on the target system,\r\nsuch as Wi-Fi, Ethernet, or VPN connections. This provided the adversary with an overview of the available network\r\ninterfaces and their configurations. Additionally, the command networksetup -listallhardwareports revealed details about\r\nhardware ports, including device names and MAC addresses, offering insights into the physical and logical network\r\ninfrastructure.\r\nBuilt-in Linux Functions\r\nOn compromised Linux hosts, adversaries can run built-in commands or create tools that leverage these command-line\r\nutilities to gain system-related information. \r\nhttps://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 5 of 8\n\nFunction Name What It Gathers\r\nuname Name and information about the Linux kernel\r\nsysinfo Memory statistics and swap space usage\r\nstatvfs Statistics for the filesystem, including the current working directory\r\nif_nameindex Network interface names\r\nlsb_release Distribution and version of the operating system\r\nFor instance, in December 2024, an analysis of Linux malware revealed that adversaries are exploiting built-in Linux\r\nfunctions to gather system information [8]. Specifically, the malware utilizes the \"uname\" system call to query kernel\r\nversion information, aiding in tailoring attacks to the compromised system's environment.\r\nSHA-256*: b0add768c79a7e9f396792dc4b1878fcba9dbe5e9e6e3ee4da05c9ef5ff000fa\r\nThis finding underscores the importance of monitoring the use of built-in Linux functions, as they can be exploited by threat\r\nactors to facilitate malicious activities on compromised hosts.\r\nAPI Calls Used to Collect System Information for IaaS\r\nInfrastructure-as-a-Service (IaaS) providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud\r\nPlatform (GCP), offer APIs that allow users to retrieve information about the instances in their cloud infrastructure.\r\nDescribe-instance-information (AWS)\r\nThe DescribeInstanceInformation action is part of the Amazon EC2 Systems Manager API in AWS. It allows you to retrieve\r\ninformation about your Amazon EC2 instances and on-premises servers that are registered with Systems Manager. To call\r\nthe DescribeInstanceInformation action, adversaries can use the AWS Command Line Interface (CLI) or the Systems\r\nManager API. Here is an example of how adversaries call the action using the AWS CLI:\r\naws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=i-12345678\r\nThis command will retrieve information about the instance with the ID i-12345678. You can also specify multiple instances\r\nby providing a list of instance IDs in the valueSet parameter. \r\nHere is an example of the JSON response that the DescribeInstanceInformation action might return:\r\n{\r\n    \"InstanceInformationList\": [\r\n        {\r\n            \"InstanceId\":\"i-12345678\",\r\n            \"PingStatus\":\"Online\",\r\n            \"LastPingDateTime\":1608299022.927,\r\n            \"AgentVersion\":\"2.3.1234.0\",\r\n            \"IsLatestVersion\":true,\r\n            \"PlatformName\":\"Windows\",\r\n            \"PlatformType\":\"Windows\",\r\n            \"PlatformVersion\":\"2012\",\r\n            \"ActivationId\":\"1234abcd-12ab-12ab-12ab-123456abcdef\",\r\n            \"IamRole\":\"ssm-role\",\r\n            \"RegistrationDate\":1608298822.927,\r\n            \"ResourceType\":\"Instance\",\r\nhttps://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 6 of 8\n\n\"Name\":\"my-instance\",\r\n            \"IPAddress\":\"1.2.3.4\"\r\n        }\r\n    ]\r\n}\r\nVirtual Machine - Get (Azure)\r\nAdversaries can use the Get request to retrieve information about a VM in Microsoft Azure. The Get request can be made\r\nusing the Azure REST API, Azure PowerShell cmdlets, or Azure CLI. Using the Get request, attackers can retrieve a wide\r\nrange of information about the VM, including its resource group, location, size, status, and more.\r\nAdversaries can send an HTTP GET request to the Azure Management REST API. The request should be made to the\r\nfollowing URL:\r\nhttps://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMach\r\napi-version={apiVersion}\r\nWhere:\r\nsubscriptionId is the ID of the subscription that the VM belongs to.\r\nresourceGroupName is the name of the resource group that the VM belongs to.\r\nvmName is the name of the VM you want to retrieve information about.\r\napiVersion is the version of the Azure Management REST API you want to use.\r\nThe request should include an Authorization header with a Bearer token that authenticates the request. Here is a minimized\r\nexample of the JSON response that the Azure Management REST API might return when you send a GET request to retrieve\r\ninformation about a VM:\r\n{\"id\":\"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}\",\"name\r\n{vmName}\",\"type\":\"Microsoft.Compute/virtualMachines\",\"location\":\"EastUS\",\"properties\":{\"vmId\":\"\r\n{vmId}\",\"hardwareProfile\":{\"vmSize\":\"Standard_D1_v2\"},\"storageProfile\":{\"imageReference\":\r\n{\"publisher\":\"Canonical\",\"offer\":\"UbuntuServer\",\"sku\":\"18.04-LTS\",\"version\":\"latest\"},\"osDisk\":{\"name\":\"{vmName}-\r\nosdisk\",\"caching\":\"ReadWrite\",\"createOption\":\"FromImage\",\"diskSizeGB\":30,\"managedDisk\":\r\n{\"storageAccountType\":\"Standard_LRS\"}}},\"osProfile\":{\"computerName\":\"\r\n{vmName}\",\"adminUsername\":\"azureuser\",\"linuxConfiguration\":{\"disablePasswordAuthentication\":true,\"ssh\":\r\n{\"publicKeys\":[{\"path\":\"/home/azureuser/.ssh/authorized_keys\",\"keyData\":\"{ssh-public-key}\"}]}}},\"networkProfile\":\r\n{\"networkInterfaces\":\r\n[{\"id\":\"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{vmName}-\r\nnic\",\"properties\":{\"primary\":true}}]},\"provisioningState\":\"Succeeded\"}}\r\ninstances.get (GCP)\r\nThe instances.get method in Google Cloud Platform (GCP) is used to retrieve information about a specific Compute Engine\r\nvirtual machine instance. It is a part of the Compute Engine API, which allows you to create and manage virtual machine\r\ninstances on Google's infrastructure.\r\nTo use the instances.get method; you need to provide the name of the instance that you want to retrieve information about, as\r\nwell as the project and zone in which it is located. You can also specify additional parameters to customize the request.\r\nHere is an example of how to use the instances.get method in the Google Cloud Platform API:\r\ngcloud compute instances get [INSTANCE_NAME] \\\r\n    --project=[PROJECT_ID] \\\r\n    --zone=[ZONE]\r\nHere is an example of the minimized JSON response that the instances.get method might return:\r\n{\"id\":\"1234567890\",\"creationTimestamp\":\"2023-01-01T12:34:56.789Z\",\"name\":\"my-instance\",\"zone\":\"projects/my-project/zones/us-central1-a\",\"machineType\":\"projects/my-project/machineTypes/n1-standard-1\",\"status\":\"RUNNING\",\"disks\":[{\"deviceName\":\"my-instance\",\"index\":0,\"type\":\"PERSISTENT\",\"mode\":\"READ_WRITE\",\"boot\":true,\"autoDelete\":true,\"initializeParams\":\r\n{\"sourceImage\":\"projects/debian-cloud/global/images/family/debian-9\",\"diskSizeGb\":\"10\",\"diskType\":\"projects/my-https://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 7 of 8\n\nproject/zones/us-central1-a/diskTypes/pd-standard\"},\"diskSizeGb\":\"10\",\"licenses\":[\"projects/my-project/global/licenses/windows-server\"],\"interface\":\"SCSI\",\"source\":\"projects/my-project/zones/us-central1-a/disks/my-instance\",\"guestOsFeatures\":[{\"type\":\"VIRTIO_SCSI_MULTIQUEUE\"}]}],\"canIpForward\":false,\"networkInterfaces\":\r\n[{\"network\":\"global/networks/default\",\"subnetwork\":\"projects/my-project/regions/us-central1/subnetworks/default\",\"accessConfigs\":[{\"name\":\"External\r\nNAT\",\"type\":\"ONE_TO_ONE_NAT\",\"natIP\":\"1.2.3.4\"}],\"aliasIpRanges\":[],\"networkIP\":\"10.128.0.2\"}],\"description\":\"My\r\ninstance\",\"labels\":{\"env\":\"prod\"},\"scheduling\":\r\n{\"preemptible\":false,\"onHostMaintenance\":\"MIGRATE\",\"automaticRestart\":true},\"deletionProtection\":false,\"reservationAffinity\":\r\n{\"consumeReservationType\":\"ANY_RESERVATION\"}}\r\nReady to Simulate Real-World Threats From Red Report 2025?\r\nReferences\r\n[1] “LOLBAS.” Available: https://lolbas-project.github.io. [Accessed: Feb. 17, 2025]\r\n[2] E. Biasiotto, “Unwrapping the emerging Interlock ransomware attack,” Cisco Talos Blog, Nov. 07, 2024. Available:\r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/. [Accessed: Nov. 27, 2024]\r\n[3] D. Korzhevin, “UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants,” Cisco Talos Blog, Oct.\r\n17, 2024. Available: https://blog.talosintelligence.com/uat-5647-romcom/. [Accessed: Nov. 27, 2024]\r\n[4] M. T. Intelligence, “Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks,” Microsoft\r\nSecurity Blog, May 28, 2024. Available: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/. [Accessed: Dec. 24, 2024]\r\n[5] “Find your Mac model name and serial number,” Apple Support. Available: https://support.apple.com/en-by/102767.\r\n[Accessed: Jan. 03, 2024]\r\n[6] Dhivya, “New Cuckoo Malware Attacking macOS Users to Steal Sensitive Data,” Cyber Security News, May 06, 2024.\r\nAvailable: https://cybersecuritynews.com/malware-attacking-macos/. [Accessed: Dec. 24, 2024]\r\n[7] A. Lapusneanu, “New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group,”\r\nBitdefender Labs. Available: https://www.bitdefender.com/en-us/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group. [Accessed: Dec. 24, 2024]\r\n[8] “VirusTotal.” Available:\r\nhttps://www.virustotal.com/gui/file/b0add768c79a7e9f396792dc4b1878fcba9dbe5e9e6e3ee4da05c9ef5ff000fa. [Accessed:\r\nJan. 14, 2025]\r\nSource: https://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nhttps://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082" ], "report_names": [ "the-system-information-discovery-technique-explained-mitre-attack-t1082" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434582, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80569e9e576d14e178fd506d9c6efa8c65d0e72e.pdf", "text": "https://archive.orkl.eu/80569e9e576d14e178fd506d9c6efa8c65d0e72e.txt", "img": "https://archive.orkl.eu/80569e9e576d14e178fd506d9c6efa8c65d0e72e.jpg" } }