An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.Example commands and utilities that obtain this information include
ver, Systeminfo, anddirwithin cmd for identifying information based on present files and directories.On Mac, the
systemsetupcommand gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, thesystem_profilergives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
Identify System Info
Supported Platforms: Windows
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
Identify System Info
Supported Platforms: Linux, macOS
systemsetup
system_profiler
ls -al /Applications
Identify System Info
Supported Platforms: Linux, macOS
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
Supported Platforms: Linux
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"