System Information Discovery, Technique T1082 - Enterprise (original) (raw)
4H RAT sends an OS version identifier in its beacons.[9]
AcidPour can identify various system locations and mapped devices on Linux systems as a precursor to wiping activity.[10]
Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.[11]
admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download[12]
ADVSTORESHELL can run Systeminfo to gather information about the victim.[13][14]
Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.[15][16][17]
Akira uses the GetSystemInfo Windows function to determine the number of processors on a victim machine.[18]
Amadey has collected the computer name and OS version from a compromised machine.[19][20]
Anchor can determine the hostname and linux version on a compromised host.[21]
Anthropic AI-orchestrated Campaign
During the Anthropic AI-orchestrated Campaign, the adversary tasked Claude Code to query databases and systems in order to identify proprietary information, including system configurations and database types.[22]
AppleJeus has collected the victim host information after infection.[23]
AppleSeed can identify the OS version of a targeted system.[24]
APT18 can collect system information from the victim’s machine.[25]
APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.[26][27]
APT3 has a tool that can obtain information about the local system.[28][29]
APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.[30][31][32][33]
APT37 collects the computer name, the BIOS model, and execution path.[34]
APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.[35]
APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information.[36]
APT42 has used malware, such as GHAMBAR and POWERPOST, to collect system information.[37]
Aquatic Panda has used native OS commands to understand privilege levels and system details.[38]
ArcaneDoor included collection of victim device configuration information.[39]
Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, and machine GUID on a compromised host.[40]
The AshTag loader and AshenOrchestrator components can collect reconnaissance data from victim machines.[41]
Astaroth collects the machine name and keyboard language from the system. [42][43]
AuTo Stealer has the ability to collect the hostname and OS information from an infected host.[11]
Avenger has the ability to identify the OS architecture on a compromised host.[44]
Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.[45][46]
BabyShark has executed the ver command.[47]
BackConfig has the ability to gather the victim's computer name.[48]
Backdoor.Oldrea collects information about the OS and computer name.[49][50]
During its initial execution, BACKSPACE extracts operating system information from the infected host.[51]
BADCALL collects the computer name and host name on the compromised system.[52]
BADFLICK has captured victim computer name, memory space, and CPU details.[53]
BADHATCH can obtain current system information from a compromised machine such as the SHELL PID, PSVERSION, HOSTNAME, LOGONSERVER, LASTBOOTUP, OS type/version, bitness, and hostname.[54][55]
BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.[56]
Bankshot gathers system information, network addresses, and the operation system version.[57][58]
Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.[59][60]
BeaverTail has been known to collect basic system information.[61][62] BeaverTail has also collected data to include hostname and current timestamp prior to uploading data to the API endpoint /uploads on the C2 server.[63]
BISCUIT has a command to collect the processor type, operation system, computer name, and whether the system is a laptop or PC.[64]
Bisonal has used commands and API calls to gather system information.[65][66][67]
Black Basta can collect system boot configuration and CPU information.[68][69]
BlackByte used various system commands and tools to pull system information during operations.[70][71][72]
BlackByte Ransomware gathers victim system information to generate a unique victim identifier.[73]
BlackCat can obtain the computer name and UUID.[74]
BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.[75][76]
BLINDINGCAN has collected from a victim machine the system name, processor information, and OS version.[77]
Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.[78]
BLUELIGHT has collected the computer name and OS version from victim machines.[79]
BOLDMOVE performs system survey actions following initial execution.[80]
Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.[81]
BoomBox can enumerate the hostname, domain, and IP of a compromised host.[82]
Brave Prince collects hard drive content and system configuration information.[83]
BUBBLEWRAP collects system information, including the operating system version and hostname.[12]
Bumblebee can enumerate the OS version and domain on a targeted system.[84][85][86]
Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.[87][8]
CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.[88][89]
Cadelspy has the ability to discover information about the compromised host.[90]
Cannon can gather system information from the victim’s machine such as the OS version, and machine name.[91][92]
Carberp has collected the operating system version from the infected system.[93]
Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[94]
CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.[95][96]
Caterpillar WebShell has a module to gather information from the compromised asset, including the computer version, computer name, IIS version, and more.[97]
Chaes has collected system information, including the machine name and OS version.[98]
CharmPower can enumerate the OS version and computer name on a targeted system.[99]
ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[100][101]
Chrommme has the ability to obtain the computer name of a compromised host.[102]
Clambling can discover the hostname, computer name, and Windows version of a targeted machine.[103][104]
cmd can be used to find information about the operating system.[105]
Comnie collects the hostname of the victim machine.[106]
Contagious Interview has configured malicious webpages to identify the victim’s operating system by reviewing the details of the victims User-Agent of their browser.[107]
CORESHELL collects hostname and OS version data from the victim and sends the information to its C2 server.[108]
Covenant implants can gather basic information on infected systems.[109]
A system info module in CozyCar gathers information on the victim host’s configuration.[110]
Crimson contains a command to collect the victim PC name and operating system.[111][112][113]
Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts.[114][115]
CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.[116]
During Cutting Edge, threat actors used the ENUM4LINUX Perl script for discovery on Windows and Samba hosts.[117]
Cyclops Blink has the ability to query device information.[118]
Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.[119]
DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.[120][121]
DarkGate will gather various system information such as domain, display adapter description, operating system type and version, processor type, and RAM amount.[122][123]
Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.[124][125]
DarkTortilla can obtain system information by querying the Win32_ComputerSystem, Win32_BIOS, Win32_MotherboardDevice, Win32_PnPEntity, and Win32_DiskDrive WMI objects.[126]
DarkWatchman can collect the OS version, system architecture, and computer name.[127]
DEADEYE can enumerate a victim computer's volume serial number and host name.[128]
Denis collects OS information and the computer name from the victim’s machine.[129][130]
Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.[131]
Diavol can collect the computer name and OS version from the system.[132]
Diskpart can show information about the selected disk, partition, volume, or virtual hard disk (VHD).[133]
DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[134]
Dridex has collected the computer name and OS architecture information from the system.[135]
DropBook has checked for the presence of Arabic language in the infected machine's settings.[136]
dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.[128]
Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.[137][138]
DUSTTRAP reads the value of the infected system's HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID value.[139]
DustySky extracts basic information about the operating system.[140]
Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.[141]
Egregor can perform a language check of the infected system and can query the CPU information (cupid).[142][143]
Elise executes systeminfo after initial communication is made to the remote server.[144]
Emissary has the capability to execute ver and systeminfo commands.[145]
Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.[146][147]
EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.[82]
Epic collects the OS version, hardware information, computer name, available system memory status, and system and user language settings.[148]
EVILNUM can obtain the computer name from the victim's system.[149]
Explosive has collected the computer name from the infected host.[150]
FALLCHILL can collect operating system (OS) version information, processor information, and system name from the victim.[151]
FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.[152]
Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.[153]
FELIXROOT collects the victim’s computer name, processor architecture, OS version, and system type.[154][155]
Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.[156]
FIN13 has collected local host information by utilizing Windows commands systeminfo, fsutil, and fsinfo. FIN13 has also utilized a compromised Symantex Altiris console and LanDesk account to retrieve host information.[157][158]
FIN7 has used csvde.exe, which is a built-in Windows command line tool, to export system information. Additionally, WsTaskLoad has gathered system information, such as operating system and hostname.[159]
FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.[160]
Final1stspy obtains victim Microsoft Windows version information and CPU architecture.[161]
FinFisher checks if the victim OS is 32 or 64-bit.[162][163]
FlawedAmmyy can collect the victim's operating system and computer name during the initial infection.[164]
During Frankenstein, the threat actors used Empire to obtain the compromised machine's name.[147]
During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.[165]
Fysbis has used the command ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release" to determine which Linux OS version is running.[166]
A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.[167][168][169][170][171]
Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.[102]
Get2 has the ability to identify the computer name and Windows version of an infected host.[172]
gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.[173]
GlassWorm has the ability to check the OS of the victim host.[174][175] GlassWorm has checked whether the OS platform value includes darwin prior to execution of macOS specific scripts.[174][175]
Gold Dragon collects endpoint information using the systeminfo command.[83]
GoldenSpy has gathered operating system information.[176]
Gomir collects information on infected systems such as hostname, username, CPU, and RAM information.[177]
Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.[178]
Grandoreiro can collect the computer name and OS version from a compromised host.[179]
GravityRAT collects the MAC address, computer name, and CPU information.[180]
Green Lambert can use uname to identify the operating system name, version, and processor type.[181][182]
GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .[183]
GrimAgent can collect the OS, and build version on a compromised host.[184]
HALFBAKED can obtain information about the OS, processor, and BIOS.[185]
can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.[186]
Havoc can gather system information including hostname, domain, and OS details.[187]
HAWKBALL can collect the OS version, architecture information, and computer name.[188]
HermeticWiper can determine the OS version and bitness on a targeted host.[189][190][191][192]
HEXANE has collected the hostname of a compromised machine.[193]
HexEval Loader has identified the OS and MAC address of victim device through host fingerprinting scripting.[194]
HiddenFace can enumerate the hostname and username of the compromised system.[195][196][197]
Higaisa collected the system GUID and computer name.[198][199]
Hildegard has collected the host's OS, CPU, and memory information.[200]
HOPLIGHT has been observed collecting victim machine information like OS version.[201]
HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.[202]
Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[203]
The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.[204]
IcedID has the ability to identify the computer name and OS version on a compromised host.[205][206]
IMAPLoader uses WMI queries to gather information about the victim machine.[207]
Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.[208]
Industroyer collects the victim machine’s Windows GUID.[209]
InnaputRAT gathers system information.[210]
InvisibleFerret has collected OS type, hostname and system version through the "pay" module.[61][63] InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname.[211][62]
InvisiMole can gather information on the OS version, computer name, DEP policy, and memory size.[212][213]
IronWind can capture the OS version and computer name of the compromised host.[214]
Ixeshe collects the computer name of the victim's system during the initial infection.[215]
JPIN can obtain system information such as OS version and disk space.[216]
jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[217]
During Juicy Mix, OilRig used a script to send the name of the compromised host via HTTP POST to register it with C2.[218]
Kapeka utilizes WinAPI calls and registry queries to gather system information.[219]
KARAE can collect system information.[186]
Kasidet has the ability to obtain a victim's system name and operating system version.[220]
Kazuar gathers information on the system.[221]
Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.[222][223][224]
Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.[225]
Kessel has collected the system architecture, OS version, and MAC address information.[81]
Kevin can enumerate the OS version and hostname of a targeted machine.[193]
KeyBoy can gather extended system information, such as information about the operating system and memory.[226][227]
KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, and time elapsed since system start.[228]
Kimsuky has enumerated OS type, OS version, and other information using a script or the "systeminfo" command.[229][230] Kimsuky has also obtained system information such as OS type, OS version, and system type through querying various Windows Management Instrumentation (WMI) classes including Win32_OperatingSystem.[231][232]
Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.[233]
Kobalos can record the hostname and kernel version of the target machine.[234]
KOCTOPUS has checked the OS version using wmic.exe and the find command.[233]
KOMPROGO is capable of retrieving information about the infected system.[235]
KONNI can gather the OS version, architecture information, hostname, and RAM size information from the victim’s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.[236][237][238]
KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.[239]
Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.[240]
LAMEHUG has the ability to execute Windows commands returned from C2 to gather system information.[241][242]
Latrodectus can gather operating system information.[243][244][244][245]
Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information.[246][247][248][249][250][251]
LazyWiper has used [System.Net.Dns]::GetHostName() and $env:COMPUTERNAME to enumerate the hostname of a system and determine if it is a domain controller.[252]
Leviathan Australian Intrusions
Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions.[253]
LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.[254]
LightSpy's second stage implant uses the DeviceInformation class to collect system information, including CPU usage, battery statistics, memory allocations, screen size, etc.[255]
Line Dancer can gather system configuration information by running the native show configuration command.[256]
Linfo creates a backdoor through which remote attackers can retrieve system information.[257]
LiteDuke can enumerate the CPUID and BIOS version on a compromised system.[152]
LitePower has the ability to enumerate the OS architecture.[156]
LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing first_run() to identify the first four bytes of the motherboard serial number.[258]
Lizar can collect the computer name from the machine.[259][260]
LockBit 2.0 can enumerate system information including hostname and domain information.[261][262]
LockBit 3.0 can enumerate system hostname and domain.[263]
LODEINFO can disover machine information including OS architecture, the ANSI code page (ACP) identifier, and hostname.[264][265]
Lokibot has the ability to discover the computer name and Windows product name/version.[266]
LoudMiner has monitored CPU usage.[267]
Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.[268]
Lumma Stealer has gathered various system information from victim machines.[269][270][271]
LunarMail can capture environmental variables on compromised hosts.[272]
LunarWeb can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.[272]
Machete collects the hostname of the target computer.[273]
MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, and macOS version.[274]
macOS.OSAMiner can gather the device serial number.[275]
Mafalda can collect the computer name of a compromised host.[276][277]
Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[278][279][280]
MagicRAT collects basic system information from victim machines.[281]
Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.[282]
Mango can collect the machine name of a compromised system which is later used as part of a unique victim identifier.[218]
Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.[283]
MarkiRAT can obtain the computer name from a compromised host.[284]
Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.[285]
Medusa Group has leveraged cmd.exe to identify system info cmd.exe /c systeminfo.[286]
Medusa Ransomware has collected data from the SMBIOS firmware table using GetSystemFirmwareTable.[287]
metaMain can collect the computer name from a compromised host.[277]
Metamorfo has collected the hostname and operating system version from the compromised host.[288][289][290]
Meteor has the ability to discover the hostname of a compromised host.[291]
Micropsia gathers the hostname and OS version from the victim’s machine.[292][293]
Milan can enumerate the targeted machine's name and GUID.[294][295]
MiniDuke can gather the hostname on a compromised machine.[152]
MirageFox can collect CPU and architecture information from the victim’s machine.[296]
MirrorFace has employed malicious macros and native Windows tools such as csvde.exe, nltest.exe and quser.exe for discovery.[265][196][197]
The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.[297]
The initial beacon packet for Misdat contains the operating system version of the victim.[297]
Mispadu collects the OS version, computer name, and language ID.[298]
MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.[299]
MoleNet can collect information about the about the system.[136]
Mongall can retrieve the hostname via gethostbyname.[300]
Moonstone Sleet has gathered information on victim systems.[301]
MoonWind can obtain the victim hostname, Windows version, RAM amount, and screen resolution.[302]
More_eggs has the capability to gather the OS version and computer name.[303][304]
Moses Staff collected information about the infected host, including the machine names and OS architecture.[305]
MuddyWater has used malware that can collect the victim’s OS version and machine name.[306][307][308][309][310]
MURKYTOP has the capability to retrieve information about the OS.[311]
Mustang Panda has gathered system information using systeminfo.[312]
Mustard Tempest has used implants to perform system reconnaissance on targeted systems.[313]
Naid collects a unique identifier (UID) from a compromised host.[314]
NanHaiShu can gather the victim computer name and serial number.[315]
NavRAT uses systeminfo on a victim’s machine.[316]
NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.[317]
Neoichor can collect the OS version and computer name from a compromised host.[224]
Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.[318]
NETWIRE can discover and collect victim system information.[319]
Nightdoor gathers information on the victim system such as CPU and Computer name as well as device drivers.[119]
Ninja can obtain the computer name and information on the OS from targeted hosts.[320][321]
njRAT enumerates the victim operating system and computer name during the initial infection.[322]
NKAbuse conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server.[323]
NOKKI can gather information on the operating system on the victim’s machine.[324]
NOOPLDR can discover the device ID and hostname from the targeted machine to use for encryption keys.[196]
ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.[325]
OceanSalt can collect the computer name from the system.[326]
Octopus can collect the computer name, OS version, and OS architecture information.[327]
OilBooster can identify the compromised system's hostname which is used to create a unique identifier.[328]
OilRig has run hostname and systeminfo on a victim.[329][330][331][332][333]
Okrum can collect computer name, locale information, and information about the OS and architecture.[334]
OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[335]
During Operation AkaiRyū, MirrorFace collected system information.[336]
During Operation CuckooBees, the threat actors used the systeminfo command to gather details about a compromised system.[337]
During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using cmd /c systeminfo > %temp%\ temp.ini.[338]
During Operation Wocao, threat actors discovered the OS versions of systems connected to a targeted network.[339]
Orz can gather the victim OS version and whether it is 64 or 32 bit.[315]
OSInfo discovers information about the infected machine.[28]
OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.[340][341]
OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.[342][343][8]
Pasam creates a backdoor through which remote attackers can retrieve information like hostname.[344]
Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server.[345][317]
Pay2Key has the ability to gather the hostname of the victim machine.[346]
Penquin can report the file system type of a compromised host to C2.[347]
Pikabot performs a variety of system checks and gathers system information, including commands such as whoami.[348][349]
PinchDuke gathers system configuration information.[350]
PingPull can retrieve the hostname of a compromised host.[351]
PipeMon can collect and send OS version and computer name as a part of its C2 beacon.[352]
Pisloader has a command to collect victim system information, including the system name and OS version.[353]
PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.[354]
Play has leveraged tools to enumerate system information.[355]
PlugX has collected system information including OS version, processor information, RAM size, location, host name, IP, and screen size of the infected host.[356]
PoetRAT has the ability to gather information about the compromised host.[357]
Pony has collected the Service Pack, language, and region information to send to the C2.[358]
POORAIM can identify system information, including battery status.[186]
PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[359]
PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[360]
PowerShower has collected system information on the infected host.[361]
POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.[362][363]
POWRUNER may collect information about the system by running hostname and systeminfo on a victim.[364]
A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[365]
Proxysvc collects the OS version, country name, MAC address, computer name, and physical memory statistics.[250]
PUBLOAD has collected and sent system information including volume serial number, computer name, and system uptime to designated C2.[366][367] PUBLOAD has also used several commands executed in sequence via cmd in a short interval to gather system information about the infected host including systeminfo.[368] PUBLOAD has decrypted shellcode that collects the computer name.[369]
PUNCHBUGGY can gather system information such as computer names.[370]
Pupy can grab a system’s information including the OS version, architecture, etc.[371]
PureCrypter can enumerate a targeted system's SerialNumber and Version.[372][373]
QakBot can collect system information including the OS version and domain on a compromised host.[374][375][376][313]
Qilin can detect whether a system is running FreeBSD, VMkernel (ESXi), Nutanix AHV, or a standard Linux distribution to enable platform-specific encryption behaviors.[377]
QuasarRAT can gather system information from the victim’s machine including the OS type.[378]
Raccoon Stealer gathers information on infected systems such as operating system, processor information, RAM, and display information.[379][380]
RansomHub can retrieve information about virtual machines.[381]
Raspberry Robin performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.[382]
RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[383][384]
RCSession can gather system information from a compromised host.[385]
Reaver collects system information from the victim, including CPU speed, computer name, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[386]
RedCurl has collected information about the target system, such as system information and list of network connections.[387][388]
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations.[389]
RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[101][390]
RedLine Stealer can collect information about the local system.[391][392][393][394]
Remcos can collect the OS version and process architecture of compromised hosts.[395]
Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[396]
Revenge RAT collects the CPU information, OS information, and system language.[397]
REvil can identify the username, machine name, system language, keyboard layout, and OS version on a compromised host.[398][399][400][401][401][402][403][404]
Rifdoor has the ability to identify the Windows version on the compromised host.[405]
RIFLESPINE can collect system information after installation on infected systems.[406]
Rising Sun can detect the computer name and operating system.[407]
Rocke has used uname -m to collect the name and information about the infected system's kernel.[408]
RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.[409]
ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[410][411][412][413][414][415]
RotaJakiro executes a set of commands to collect device information, including uname. Another example is the cat /etc/*release | uniq command used to collect the current OS distribution.[416]
Royal can use GetNativeSystemInfo to enumerate system processors.[417][418]
RTM can obtain the computer name, OS version, and default language identifier.[419]
RunningRAT gathers the OS version and processor information.[83]
RustyWater has gathered the victim machine’s computer name.[420]
The initial beacon packet for S-Type contains the operating system version and file system of the victim.[297]
Sagerunex gathers information from the infected system such as hostname.[421]
Saint Bot can identify the OS version, CPU, and other details from a victim's machine.[422]
SampleCheck5000 can create unique victim identifiers by using the compromised system’s computer name.[328]
Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[423][424]
Sardonic has the ability to collect the computer name, and CPU manufacturer name from a compromised machine. Sardonic also has the ability to execute the ver and systeminfo commands.[425]
Scattered Spider has executed scripts to identify the underlying operating system to ensure it uses the correct installation package for malicious payloads.[426]
SDBbot has the ability to identify the OS version, OS bit information and computer name.[172][19]
ServHelper will attempt to enumerate Windows version and system architecture.[427]
ShadowPad has discovered system information including memory status, CPU frequency, and OS versions.[428]
Shai-Hulud has gathered victim system information.[429][430]
Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[431][432]
SharePoint ToolShell Exploitation
During SharePoint ToolShell Exploitation, threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes.[433]
Shark can collect the GUID of a targeted machine.[294][295]
SharpStage has checked the system settings to see if Arabic is the configured language.[434]
SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.[363]
ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.[435]
ShrinkLocker uses WMI queries to gather various information about the victim machine and operating system.[436][437]
SHUTTERSPEED can collect system information.[186]
SideCopy has identified the OS version of a compromised host.[11]
SideTwist can collect the computer name of a targeted system.[332]
Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.[438][439]
SILENTTRINITY can collect information related to a compromised host, including OS version.[440]
Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.[441]
SLOTHFULMEDIA has collected system name, OS version, adapter information, and memory usage from a victim machine.[442]
SLOWDRIFT collects and sends system information to its C2.[186]
SMOKEDHAM has used the systeminfo command on a compromised host.[443]
Snip3 has the ability to query Win32_ComputerSystem for system information. [444]
SocGholish has the ability to enumerate system information including the victim computer name.[445][446][447]
SodaMaster can enumerate the host name and OS version on a target system.[448]
Solar can send basic information about the infected host to C2.[218]
SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.[449]
SoreFang can collect the hostname, operating system configuration, and product ID on victim machines by executing Systeminfo.[450]
SOUNDBITE is capable of gathering system information.[235]
Sowbug obtained OS version and hardware configuration from a victim.[451]
Spark can collect the hostname, keyboard layout, and language from the system.[452]
SPAWNCHIMERA has obtained system information such as release, uptime, and current time.[453]
SpeakUp uses the cat /proc/cpuinfo | grep -c "cpu family" 2>&1 command to gather system information. [454]
SpicyOmelette can identify the system name of a compromised host.[455]
SplatCloak has collected the Windows build number using the windows kernel API RtlGetVersion to determine if the response is 19000 or higher (Windows 10 version 2004 or later).[456]
Squirrelwaffle has gathered victim computer information and configurations.[457]
SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.[458]
STARWHALE can gather the computer name of an infected host.[459][460]
StealBit can enumerate the computer name and domain membership of the compromised system.[461]
Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.[462]
StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[463]
Storm-0501 has leveraged native Windows tools and commands such as systeminfo and open-source tools including OSQuery and ossec-win32 to query details about the endpoint.[464]
StreamEx has the ability to enumerate system information.[465]
StrelaStealer variants collect victim system information for exfiltration.[466]
StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.[467]
Stuxnet collects system information including computer and domain names, OS version, and S7P paths.[468]
SUNBURST collected hostname and OS version.[469][470]
SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of systeminfo.exe.[471]
SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[472]
Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.[458]
SYSCON has the ability to use Systeminfo to identify system information.[96]
SystemBC has collected username , build number and serial number, then sent the information to the C2 server.[473][474] SystemBC has also gathered device name, operating system, and processor type.[475]
Systeminfo can be used to gather information about the operating system.[476]
SysUpdate can collect a system's architecture, operating system version, and hostname.[477][478]
T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.[479]
TA2541 has collected system information prior to downloading malware on the targeted host.[480]
TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.[481]
TeamTNT has searched for system version, architecture, and hostname information.[482][483]
ThreatNeedle can collect system profile information from a compromised host.[484]
TONESHELL has the ability to retrieve the name of the infected machine.[367][485][486]
TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.[487][488][489][490]
Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.[491]
Troll Stealer can collect local system information.[492][177]
Tropic Trooper has detected a target system’s OS version.[493][494]
Tsundere Botnet has collected the machine’s MAC address, total memory, GPU information and other system information.[495]
Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.[496]
Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[497][498]
TURNEDUP is capable of gathering system information.[499]
Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.[500]
UPPERCUT has the capability to gather the system’s hostname and OS version.[501][336]
Uroburos has the ability to gather basic system information and run the POSIX API gethostbyname.[502]
Ursnif has used Systeminfo to gather system information.[503]
Valak can determine the Windows version and computer name on a compromised host.[504][505]
VERMIN collects the OS name, machine name, and architecture information.[506]
VOID MANTICORE has gathered system information and disseminated it back to C2.[507]
Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.[508][509][510]
WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.[511]
WellMess can identify the computer name of a compromised host.[512][513]
Windigo has used a script to detect which Linux distribution and version is currently installed on the system.[81]
WINDSHIELD can gather the victim computer name.[235]
Windshift has used malware to identify the computer name of a compromised host.[514]
WINERACK can gather information about the host.[186]
Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[515]
WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.[458]
Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.[516]
Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers.[517]
Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim's machine. Wizard Spider has also utilized the PowerShell cmdlet Get-ADComputer to collect DNS hostnames, last logon dates, and operating system information from Active Directory.[518][519]
Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, and environment variables.[520]
XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.[521]
XCSSET identifies the macOS version and uses ioreg to determine serial number.[522]
XLoader can collect system information and supported language information from the victim machine.[523]
XORIndex Loader has the ability to collect the hostname, OS Username, Geolocation, and OS version of an infected host.[524]
YAHOYAH checks for the system’s Windows OS version and hostname.[493]
yty gathers the computer name, CPU information, Microsoft Windows version, and runs the command systeminfo.[525]
Zebrocy collects the OS version and computer name. Zebrocy also runs the systeminfo command to gather system information. [526][91][527][92][528][529][530]
ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.[531]
Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.[532][533]
ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.[534]
ZLib has the ability to enumerate system information.[297]
zwShell can obtain the victim PC name and OS version.[535]
ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.[536]
ZxxZ has collected the host name and operating system product name from a compromised machine.[537]