S0165 OSInfo
OSInfo is a custom tool used by APT3 to do internal discovery on a victim’s computer and network. 1
| Item | Value |
|---|---|
| ID | S0165 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 18 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | OSInfo enumerates local and domain users1 |
| enterprise | T1087.002 | Domain Account | OSInfo enumerates local and domain users1 |
| enterprise | T1135 | Network Share Discovery | OSInfo discovers shares on the network1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | OSInfo has enumerated the local administrators group.1 |
| enterprise | T1069.002 | Domain Groups | OSInfo specifically looks for Domain Admins and power users within the domain.1 |
| enterprise | T1012 | Query Registry | OSInfo queries the registry to look for information about Terminal Services.1 |
| enterprise | T1018 | Remote System Discovery | OSInfo performs a connection test to discover remote systems in the network1 |
| enterprise | T1082 | System Information Discovery | OSInfo discovers information about the infected machine.1 |
| enterprise | T1016 | System Network Configuration Discovery | OSInfo discovers the current domain information.1 |
| enterprise | T1049 | System Network Connections Discovery | OSInfo enumerates the current network connections similar to net use .1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0022 | APT3 | 1 |