Skip to content

S0165 OSInfo

OSInfo is a custom tool used by APT3 to do internal discovery on a victim’s computer and network. 1

Item Value
ID S0165
Associated Names
Version 1.1
Created 16 January 2018
Last Modified 18 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account OSInfo enumerates local and domain users1
enterprise T1087.002 Domain Account OSInfo enumerates local and domain users1
enterprise T1135 Network Share Discovery OSInfo discovers shares on the network1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups OSInfo has enumerated the local administrators group.1
enterprise T1069.002 Domain Groups OSInfo specifically looks for Domain Admins and power users within the domain.1
enterprise T1012 Query Registry OSInfo queries the registry to look for information about Terminal Services.1
enterprise T1018 Remote System Discovery OSInfo performs a connection test to discover remote systems in the network1
enterprise T1082 System Information Discovery OSInfo discovers information about the infected machine.1
enterprise T1016 System Network Configuration Discovery OSInfo discovers the current domain information.1
enterprise T1049 System Network Connections Discovery OSInfo enumerates the current network connections similar to net use .1

Groups That Use This Software

ID Name References
G0022 APT3 1