Home  >  APT29  >  Results  >  Elastic  >  System Information Discovery

Technique Results: System Information Discovery (T1082) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Enumerated the computer hostname using PowerShell
powershell.exe executing $env:COMPUTERNAME
4.C.3
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:COMPUTERNAME. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated the OS version using PowerShell
powershell.exe executing​ Gwmi Win32_OperatingSystem
4.C.6
Technique (Correlated, Alert)
A Technique detection called "Reconnaissance of Multiple WMI Classes" was generated due to multiple WMI classes being executed in quick succession. The event was correlated to a parent General detection for malicious file execution. The detection was a medium severity alert. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing $Gwmi Win32_OperatingSystem. The event was correlated to a parent General detection for malicious file execution. [1] [2]
Enumerated computer manufacturer, model, and version information using PowerShell
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
11.A.4
Technique
A Technique detection for "ATT&CK T1082 System Info Discovery" was generated for powershell.exe querying Win32_ComputerSystem and Win32_BIOS. [1]
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1] [2]
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. [1] [2]
Enumerated the computer name using the GetComputerNameEx API
powershell.exe executing the GetComputerNameEx API
13.A.1
Telemetry (Correlated)
Telemetry showed PowerShell calling the GetComputerNameEx API. The detection was correlated to a parent alert for a suspicious Windows script. [1]