The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that System Information Discovery was the ninth most prevalent ATT&CK technique used by adversaries in their malware.
|
The Red Report 2024
|
When adversaries gain initial access to a system, they observe the environment and gain knowledge about the system. Adversaries then use the collected system information to determine how to act in follow-on behaviors. Our research has found that System Information Discovery
is the ninth most prevalent ATT&CK technique
used by adversaries in their malware.
Following initial access to a system, attackers need to gather information about the system to decide how to continue the attack. They collect operating system, hardware, host, and user information to shape follow-on actions.
In this article, we review:
- the most commonly collected information
- the most used methods to discover system information
- use cases of the System Information Discovery technique by threat actors and malware
- red and blue team exercises for this technique
Which type of system information is collected
Adversaries commonly collect the following system information:
- Host/user information
- Hostname
- Username
- Domain name
- Registered Owner
- Registered Organization
- Uptime
- Operation system information
- OS name (e.g., Microsoft Windows 10 Pro)
- OS version (e.g., 10.0.19041 Build 19041)
- System locale (e.g., en-us; English; United States)
- Keyboard layout (e.g., 0409 is an English - US keyboard)
- Hotfix(es)
- Hardware information
- CPU architecture (e.g., x86, x64)
- Processor(s) (e.g., 4 x AMD64 Family 23 ~2000 Mhz)
- Total physical memory
- Network Card(s) (e.g., Intel 82574L)
- IP address(es)
- CPUID / ProcessorID (e.g., 078BFBFF00800F12)
- Volume serial number (e.g., 6000c2926471123a7065babe5ad6f70a)
- Disk size
- Screen resolution
How adversaries collect system information
-
OS Commands
Adversaries use built-in OS utilities to discover system information:
- systeminfo: systeminfo [1] is a Microsoft Windows utility that displays detailed configuration information about a computer and its operating system, including:
- Operating system configuration: OS name, OS version, OS manufacturer, OS configuration, OS build type, registered owner, registered organization, original install date, system locale, input locale, product id, time zone, logon server
- Security information: hotfixes
- Hardware properties: RAM, disk space, network cards, processors, total physical memory, available physical memory, virtual memory
- Other system information: system boot time, system manufacturer, system model, system type, BIOS version, windows directory, system directory, boot device
- systemsetup: systemsetup is a macOS command that enables you to gather and configure certain per-machine settings typically configured in the System Preferences application [2]. At least "admin" privileges are required to run the systemsetup command. The following flags can be used for system information discovery with systemsetup command:
- -getcomputername: Displays computer name.
- -getremotelogin: whether remote login (SSH) is on or off.
- -getlocalsubnetname: Display local subnet name.
- -gettimezone: Displays the current time zone.
-
IaaS API Calls
Adversaries use APIs to get information about instances in cloud Infrastructure as a Service (IaaS) providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
describe-instance-information
in AWS: This API action gives information about instances, including computer name, instanceid, IP address, OS type, OS name, and OS version [2], [3].
Virtual Machines - Get
in Microsoft Azure: This operation retrieves information about the model view or the instance view of a virtual machine, such as OS type, computer name, and admin username [4].
instances.get
in Google Cloud: This method returns information about the specified instance, including hostname, CPU platform, disk size, IP address, and the DNS domain [5].
Use Cases
Use Case 1: ZxShell
If ZxShell
(aka Sensocode
) RAT
(Remote Administration Tool), which is used by Group 72 to conduct cyber-espionage operations, composes a large string that contains the following system information of the victim host and sends this information to its CnC server[6]:
- hostname, organization, and owner
- OS details
- CPU speed
- total physical memory
Use Case 2: Sodinokibi
Sodinokibi
(aka REvil) ransomware
generates a unique identifier (UID) for the host using the volume serial number and CPUID [7]. It uses this UID for encryption/decryption processes as part of the payment URL referenced in the dropped ransom note. Moreover, Sodinokibi profiles the compromised host by collecting the following information:
- username, hostname, and workgroup/domain name
- locale and keyboard layout
- OS name
- Hard disk drive details
- CPU architecture
Interestingly, it uses a parameter named “bro” that indicates a Russian keyboard layout. If this parameter returns true, the compromised host is whitelisted, and it is immune to Sodinokibi
. It calls User32.dll
's GetKeyboardLayoutList function to get the configured keyboard layout.
Use Case 3: Mekotio
Mekotio banking Trojan collects the following information about the compromised host [8]:
- firewall configuration
- user privileges
- OS name and version
- installed anti-fraud protection products (e.g., IBM Trusteer)
- installed anti-malware solutions
- current local time (to use for dynamically generating C&C domain name)
Use Case 4: Sandbox Evasion
Adversaries discover system information to detect and avoid virtualization and analysis environments, such as sandboxes that are used to analyze malicious files and URLs to obtain indicators of compromises (IoCs). Then these IOCs are used to improve defenses and block/detect malicious behavior of adversaries.
Accordingly, the MITRE ATT&CK technique T1497 Virtualization/Sandbox Evasion is one of the primary use cases of the MITRE ATT&CK T1082 System Information Discovery technique. Specifically, the T1497.001 System Checks sub-technique is directly related to the System Information Discovery technique.
Sandbox-evading malware commonly collects the following system information to detect a virtualization/sandbox environment:
-
Total physical memory size: A total RAM size lower than 4GB may indicate a sandbox environment.
-
Storage size: A storage lower than 64 GB may indicate a sandbox.
-
Storage name: If a hard disc drive has a name used by virtual machines (e.g., QEMU, VBOX, VIRTUAL HD, VMWare), it strongly indicates a virtual machine.
-
HDD vendor ID: If the vendor id of the hard disc drive is VBOX or vmware, it is in a virtual machine.
-
Audio device: If there is no audio device in the machine, it may be a sandbox.
-
Screen resolution: Low resolutions may indicate a sandbox environment.
-
Username: Common sandbox usernames (e.g., sandbox, virus, malware, vmware, test) may indicate a sandbox.
-
Hostname: Common sandbox names (e.g., cuckoo, sandbox, sample, malware) may indicate a sandbox environment.
- Uptime: Uptimes lower than 10 minutes may indicate a sandbox.
- Network traffic: High uptimes (e.g., days), but low network traffic (e.g., only a few megabytes) may indicate a sandbox.
- MAC addresses: Specific MAC address prefixes (e.g., 08:00:27 for VirtualBox, 00:05:69 for VMWare , 00:16:E3 for Xen and 00:1C:42 for Parallels) strongly indicate a virtual machine.
- Network adapter name: Specific names for network adapters (e.g,. Vmware) strongly indicates a virtual machine.
- List of files: A clean desktop or documents folder or an empty list of recent files may indicate a sandbox environment.
-
List of directories: The existence of “oracle\virtualbox guest additions\” or “VMWare” directory strongly indicates a virtual machine environment.
-
Browser usage: A short/empty browser history or cookie list may indicate a sandbox.
-
The number of running processes: In a regular Windows environment, at least 50 processes run simultaneously. Lower numbers may indicate a sandbox.
-
Process names: Specific processes (e.g., vmware.exe, xenservice.exe, vmsrvc.exe, vboxservice.exe, joeboxserver.exe, prl_cc.exe) strongly indicate a virtual machine environment.
-
CPU temperature: Virtual machines don’t return a result after CPU temperature check calls, such as MSAcpi_ThermalZoneTemperature.
-
Number of CPU cores: A single core may indicate a virtual machine.
- CPUID: The string returned by the CPUID instruction includes information that can be used to identify the virtual machine vendor, such as Microsoft Hv for Hyper-V, KVMKVMKVM for KVM, prl hyperv for Parallels, VBoxVBoxVBox for VirtualBox, VMwareVMware for VMWare, and XenVMMXenVMM for Xen.
Red and Blue Team Exercises
Exercise 1: Obtain patches installed on the host
Red Teaming - How to simulate?
The following command gets a list of installed Windows and software updates applied to the local computer using WMIC (Windows Management Instrumentation Command) [9]
wmic qfe get description,hotfixid,installedon
C:\Windows\system32>wmic qfe get description,hotfixid,installedon Description HotFixID InstalledOn Update KB4576478 9/9/2020 Security Update KB4537759 5/11/2020 Security Update KB4557968 5/11/2020 Security Update KB4560366 7/13/2020 Security Update KB4561600 7/13/2020 Security Update KB4566785 7/23/2020 Security Update KB4570334 8/12/2020 Security Update KB4577266 9/9/2020 Update KB4571756 9/9/2020 |
Explanation of the command:
- wmic: WMIC is a command-line utility to access Windows Management Instrumentation (WMI). WMI is the infrastructure for management data and operations on Windows-based operating systems [10]. Legitimate users write WMI scripts or applications to automate administrative tasks on remote computers.
- qfe: QFE stands for Quick Fix Engineering. It uses Win32_QuickFixEngineering WMI class to get system-wide updates applied to the current operating system[11].
- description: This parameter gets the update type (Security Update / Update).
- hotfixid: This parameter obtains the Microsoft KB (knowledge base) article id, such as KB4537759. You can read the kb article on http://support.microsoft.com/kb/<HotfixID>, for example, http://support.microsoft.com/kb/4537759 for KB4537759.
- installedon: This parameter gathers the install date of the update.
Blue Teaming - How to detect?
The following Sigma rule can be used to detect an attempt to gather information about installed patches on the local system via the WMIC tool.
title: System Information Discovery by Gathering Installed Patches via WMIC Tool |
References
|