T1082: System Information Discovery

T1082 falls under the Discovery tactic. Unlike techniques that modify system state or steal data, System Information Discovery is purely observational — the adversary is reading, not writing. This makes it inherently difficult to detect because every command used for this technique is also used legitimately by system administrators, monitoring tools, and automated scripts every day. The challenge for defenders is not blocking these commands (that would break normal operations) but distinguishing malicious reconnaissance from routine administrative activity.

The technique operates across every major platform — Windows, Linux, macOS, ESXi, network devices, and cloud IaaS environments. On Windows, the built-in systeminfo utility is the single most commonly observed tool, but adversaries also use WMI queries, PowerShell cmdlets, and registry reads. On Linux and macOS, native utilities like uname, hostname, cat /proc/*, and sw_vers serve the same purpose. In cloud environments, authenticated API calls to AWS (DescribeInstances), GCP (compute.instances.get), and Azure (VirtualMachines/Get) expose instance metadata including OS platform, instance type, and configuration details. On ESXi hypervisors, esxcli system version get and esxcli system hostname get give attackers the information they need to determine whether hypervisor-specific exploits or VM escape techniques are viable.

How System Information Discovery Works

System Information Discovery follows a straightforward pattern: the adversary executes one or more commands or API calls to collect environmental data, then uses that data to make decisions about subsequent attack stages. The information gathered typically includes the operating system name and version, installed patches and hotfixes, system architecture (x86 vs x64), hostname, domain membership, hardware specifications (CPU, RAM, disk), BIOS and firmware details, and time zone and language settings.

Windows built-in commands. The systeminfo command is the workhorse of T1082 on Windows. A single execution returns over 40 fields of system data including OS version, build number, registered owner, system manufacturer, processor details, physical and virtual memory, network adapter configurations, installed hotfixes, and domain information. Adversaries frequently pipe the output to a file (systeminfo > %temp%\sysinfo.txt) for later exfiltration. The hostname command provides a quick check for the machine name. The ver command returns the Windows version string. Registry queries like reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum expose disk hardware details.

WMI and PowerShell. Windows Management Instrumentation provides a richer, more structured interface for system enumeration. Commands like wmic os get caption,version,buildnumber, wmic computersystem get model,manufacturer,totalphysicalmemory, and wmic qfe list (which enumerates installed patches) return machine-parseable data that malware can process programmatically. PowerShell equivalents include Get-ComputerInfo, Get-WmiObject Win32_OperatingSystem, and Get-HotFix. These approaches are favored by more sophisticated malware because they can be executed entirely in memory without dropping files to disk.

Linux and macOS utilities. On Linux, the combination of uname -a (kernel version and architecture), cat /etc/os-release (distribution details), cat /proc/cpuinfo (processor specifications), cat /proc/meminfo (memory details), df -aH (mounted disks and free space), and hostnamectl provides a comprehensive system profile. On macOS, sw_vers returns the macOS version, system_profiler SPHardwareDataType exposes hardware details, and systemsetup (requiring admin privileges) reveals configuration settings including time zone, computer name, and network configuration. A Rust-based macOS backdoor analyzed in early 2024 was observed executing systemsetup -gettimezone, systemsetup -getcomputername, and networksetup -listallnetworkservices immediately upon infection.

Cloud and virtualization environments. In IaaS environments, adversaries with compromised credentials or service accounts query cloud provider APIs to enumerate instance metadata. AWS DescribeInstances returns OS platform, instance type, and status. Google Cloud compute.instances.get provides VM model details. Azure VirtualMachines/Get exposes OS and configuration data. On ESXi servers — increasingly targeted by ransomware groups — commands like esxcli system version get, esxcli system hostname get, and vim-cmd vmsvc/getallvms reveal the hypervisor version and list all virtual machines, helping attackers decide which VMs to target for encryption or data theft.

Network device enumeration. On network devices, adversaries use CLI commands like show version to gather firmware version, hardware model, and uptime. This information helps determine whether known vulnerabilities affect the specific firmware version in use, and informs decisions about persistence mechanisms and lateral movement options within the network infrastructure.

Why This Technique Matters

System Information Discovery is rarely the end goal of an attack — it is the intelligence-gathering phase that makes everything else possible. The data collected through T1082 directly informs several critical attacker decisions:

Payload selection. Architecture differences between x86 and x64 systems require different compiled payloads. OS version differences affect which exploits will work. The NOBELIUM toolset's EnvyScout dropper was observed checking whether its payload was received by a Windows or iOS device to select the appropriate next-stage component. Moonstone Sleet, a North Korean threat actor, used T1082 to profile compromised hosts before deploying architecture-specific implants.

Vulnerability identification. The list of installed patches returned by systeminfo or wmic qfe tells an attacker exactly which vulnerabilities remain unpatched on the target. If a known privilege escalation vulnerability has not been patched, the attacker knows immediately that they can exploit it. If the system is fully patched, they may choose a different escalation path.

Environment-aware evasion. Many malware families check system information to determine whether they are running in a sandbox, virtual machine, or analysis environment. If the hardware specifications suggest a minimal VM (single CPU core, limited RAM, generic hardware identifiers), the malware may refuse to execute, a behavior documented extensively in the Picus Red Report 2026's analysis of Virtualization/Sandbox Evasion (T1497). LummaC2, for example, was found using trigonometric calculations on mouse movement patterns alongside system profiling to distinguish real users from automated sandboxes.

Target valuation. System information helps adversaries determine whether a compromised host is worth continued investment. A domain-joined workstation in a corporate environment is a more valuable target than a standalone home computer. A server running in a cloud environment with access to other instances is more valuable than an isolated endpoint. This triage decision often happens automatically — malware checks the system profile and either proceeds with full infection or exits silently.

Real-World Case Studies

APT41 — Systematic Reconnaissance During Global Campaign (2021)

APT41, a Chinese state-sponsored threat group, was observed during its 2021 global campaign using multiple built-in Windows commands for system profiling immediately after gaining access. The group executed systeminfo and net config Workstation to enumerate victim system configuration, domain membership, and network details. This information was used to determine which systems warranted deeper exploitation and lateral movement. APT41's approach exemplifies the methodical use of T1082: gather system details first, then customize the attack chain based on what the environment reveals.

Black Basta Ransomware — Pre-Encryption System Profiling

The Black Basta ransomware operation, one of the more active ransomware-as-a-service groups, incorporates system information discovery as a standard phase of their intrusion playbook. Operators use various system commands and tools to collect system information during the reconnaissance phase before deploying the encryptor. The Black Basta ransomware binary itself uses the GetSystemInfo Windows API function to determine the number of processors on the victim machine — a detail that informs how the ransomware parallelizes its encryption process across CPU cores for maximum speed. On ESXi targets, the group has been observed using esxcli utilities to enumerate VM inventories before targeting virtual disk files for encryption.

Volt Typhoon — Living Off the Land in Critical Infrastructure

Volt Typhoon, a Chinese state-sponsored group targeting U.S. critical infrastructure, is a textbook example of T1082 in a living-off-the-land operation. The group relies almost exclusively on built-in operating system tools for reconnaissance, avoiding the deployment of custom malware that would trigger endpoint detection. System information discovery through native commands like systeminfo, hostname, and ver forms the foundation of their reconnaissance, allowing them to map target environments while generating minimal forensic artifacts. Because these commands are used legitimately by administrators thousands of times a day in enterprise environments, Volt Typhoon's activity blends seamlessly into normal operations.

TrickBot / Anchor — Comprehensive System Fingerprinting

The TrickBot malware ecosystem, operated by Wizard Spider, demonstrates how T1082 is integrated into automated collection modules. TrickBot gathers the OS version, machine name, CPU type, RAM amount, and UEFI/BIOS firmware data from every infected host. The Anchor variant extends this to Linux systems, collecting the hostname and kernel version. The TrickBoot module goes even further, probing the UEFI firmware to determine whether persistent firmware-level implants are feasible on the target hardware. This represents T1082 taken to its logical extreme: system discovery not just for payload selection, but for assessing whether the deepest possible persistence mechanism is achievable.

Gamaredon / Shuckworm — Ongoing Targeting of Ukrainian Entities

Gamaredon (also tracked as Shuckworm), a Russian-linked threat group, has consistently used system information discovery as part of its operations targeting Ukrainian government and military organizations. The group's tooling collects system details to determine target value and tailor subsequent payloads. Symantec and Carbon Black documented this activity continuing through 2025, with Gamaredon targeting foreign military missions based in Ukraine. The group's reliance on T1082 reflects a pattern common across nation-state actors: system profiling is the first step in every intrusion, regardless of the ultimate objective.

Contagious Interview / DPRK — BeaverTail System Profiling

The North Korean Contagious Interview campaign's BeaverTail malware collects basic system information from compromised hosts, including hostname and timestamp data. This information is uploaded to the C2 server's /uploads API endpoint as part of initial victim registration. The system profile helps operators triage victims — determining which compromised developer workstations warrant further exploitation with the InvisibleFerret second-stage payload and which should be abandoned.

Detection Strategies

Detecting T1082 is fundamentally different from detecting techniques that create obvious artifacts. Every command used for system information discovery is legitimate. The detection challenge is identifying when these commands are executed in a suspicious context — by unexpected users, from unexpected parent processes, in rapid succession, or as part of a broader reconnaissance pattern.

Key Monitoring Points

Data Source	What to Monitor	Detection Logic
Sysmon Event ID 1 (Process Creation)	Execution of system discovery commands	Flag execution of systeminfo.exe, hostname.exe, ver, and WMI queries like wmic os get or wmic qfe when triggered by non-administrative users or from unexpected parent processes
Windows Security Event 4688	Command-line process creation with auditing enabled	Monitor for systeminfo, hostname, wmic computersystem get, and PowerShell commands like Get-ComputerInfo or Get-WmiObject Win32_OperatingSystem from non-standard parent processes
Sysmon Event ID 1 (Process Creation)	Rapid succession of discovery commands	Correlate multiple discovery-related process creations (systeminfo, hostname, whoami, ipconfig, net config) from the same host within a short time window. Three or more within five minutes is a strong indicator of automated reconnaissance
Linux Auditd / Syslog	Execution of enumeration utilities	Monitor for uname, cat /proc/cpuinfo, cat /proc/meminfo, cat /etc/os-release, hostnamectl, and lsb_release from non-root users or from unexpected shell sessions
macOS Unified Logs	Execution of system profiling commands	Flag execution of sw_vers, system_profiler, systemsetup, and networksetup -listallnetworkservices from processes other than expected management tools
Cloud Audit Logs	Instance metadata API calls	Monitor AWS CloudTrail for DescribeInstances, DescribeRegions, and GetCallerIdentity from unusual principals or IP addresses. In GCP, review Cloud Audit Logs for compute.instances.get and compute.instances.list from unexpected service accounts
ESXi Syslog	ESXi CLI enumeration commands	Monitor for execution of esxcli system version get, esxcli system hostname get, and vim-cmd vmsvc/getallvms from non-administrative sessions or outside maintenance windows

Splunk Detection Queries

Query 1: System Information Discovery Detection (Multi-Command Correlation)

Detects execution of multiple system discovery commands from the same host, indicating automated reconnaissance rather than isolated administrative activity. This is the primary Splunk detection for T1082, adapted from Splunk's official security content.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name=systeminfo.exe OR CommandLine="*wmic* qfe*"
  OR CommandLine="*wmic* os get*" OR CommandLine="*wmic* computersystem*"
  OR process_name=hostname.exe)
| bin _time span=5m
| stats dc(process_name) as distinct_commands values(process_name) as commands
  values(CommandLine) as cmdlines by _time host user parent_process_name
| where distinct_commands >= 2
| table _time host user parent_process_name commands cmdlines
| sort -_time

Query 2: PowerShell-Based System Enumeration

Detects PowerShell commands commonly used for system profiling. Catches both direct cmdlet execution and WMI object queries through PowerShell.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
process_name=powershell.exe
(CommandLine="*Get-ComputerInfo*" OR CommandLine="*Get-WmiObject*Win32_OperatingSystem*"
  OR CommandLine="*Get-WmiObject*Win32_ComputerSystem*" OR CommandLine="*Get-HotFix*"
  OR CommandLine="*Win32_Processor*" OR CommandLine="*Win32_BIOS*"
  OR CommandLine="*Get-CimInstance*OperatingSystem*")
| table _time host user CommandLine parent_process_name parent_process_path
| sort -_time

Query 3: Registry-Based System Discovery

Detects registry queries targeting system hardware and configuration keys commonly queried by malware during the discovery phase.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*reg query*CurrentVersion*" OR CommandLine="*reg query*Disk\\Enum*"
  OR CommandLine="*reg query*BIOS*" OR CommandLine="*reg query*CentralProcessor*")
| table _time host user CommandLine process_name parent_process_name
| sort -_time

Query 4: Cloud Instance Metadata Discovery (AWS)

Detects potentially suspicious AWS API calls used to enumerate instance information. Requires AWS CloudTrail data ingested into Splunk.

index=aws sourcetype="aws:cloudtrail"
eventName IN ("DescribeInstances","DescribeRegions","GetCallerIdentity","DescribeInstanceInformation")
| stats count values(eventName) as api_calls by userIdentity.arn sourceIPAddress userAgent
| where count > 3
| table _time userIdentity.arn sourceIPAddress api_calls count userAgent
| sort -count

Known Threat Actors

T1082 has one of the broadest documented threat actor lists in the MITRE ATT&CK framework, with over 50 known groups and 391 total threat groups and malware families employing the technique. The following represent prominent examples across different actor categories:

Threat Actor	Affiliation	System Discovery Method
APT41	China	Uses systeminfo and net config Workstation to enumerate system configuration and domain membership
Volt Typhoon	China	Living-off-the-land approach using native OS commands exclusively for reconnaissance against U.S. critical infrastructure
APT29 / Midnight Blizzard	Russia (SVR)	EnvyScout checks OS platform to select architecture-specific next-stage payloads; comprehensive system profiling in post-exploitation
Gamaredon / Shuckworm	Russia	System profiling for target valuation in campaigns against Ukrainian government and military organizations
Lazarus Group	DPRK	HOPLIGHT and HOTCROISSANT trojans collect OS version, hostname, and hardware architecture
Moonstone Sleet	DPRK	System profiling to deploy architecture-specific implants on compromised hosts
Contagious Interview	DPRK	BeaverTail collects hostname and timestamp for C2 registration and victim triage
OilRig / APT34	Iran	Executes hostname and systeminfo on compromised hosts for environment profiling
MuddyWater	Iran	Multiple tools collect system details including OS version, domain, and hardware configuration
Black Basta	Cybercriminal	Uses system commands, GetSystemInfo API, and ESXi enumeration for pre-encryption profiling
Wizard Spider (TrickBot)	Cybercriminal	TrickBot/TrickBoot collects OS, CPU, RAM, and UEFI firmware details for persistence assessment
Scattered Spider	Cybercriminal	System reconnaissance as part of enterprise compromise and identity-based attack campaigns

Defensive Recommendations

1. Implement command-line auditing and enhanced logging

Enable Windows Security Event 4688 with command-line process creation auditing, and deploy Sysmon with a configuration that captures process creation events (Event ID 1) including full command-line arguments. Without command-line visibility, T1082 activity is invisible to detection tools. For Linux systems, configure auditd rules to log execution of common enumeration utilities. On macOS, enable the Unified Logging system with subsystem filters for process execution.

2. Baseline normal discovery command patterns

Establish baselines for which users, service accounts, and processes normally execute system information commands. System monitoring tools, SCCM/Intune agents, and IT automation scripts will regularly execute systeminfo and similar commands. Documenting these normal patterns enables detection rules that flag the same commands when executed by unexpected users or from unexpected parent processes. Without a baseline, every detection rule will drown in false positives.

3. Correlate discovery commands with other indicators

A single systeminfo execution is not inherently malicious. The signal becomes meaningful when correlated with other discovery commands within a short time window. If a host executes systeminfo, whoami, net user, ipconfig, and tasklist within minutes, that pattern strongly suggests reconnaissance activity. Build detection rules that trigger on the combination of multiple discovery techniques from the same host, not on individual commands in isolation.

4. Restrict access to system information on cloud instances

In cloud environments, apply the principle of least privilege to IAM policies. Restrict DescribeInstances, DescribeRegions, and equivalent API calls to only those roles and service accounts that require them. Monitor for these API calls from unusual source IP addresses, at unusual times, or from service accounts that do not normally perform instance enumeration. Enable VPC Flow Logs and CloudTrail (AWS), Cloud Audit Logs (GCP), or Activity Logs (Azure) to maintain audit trails.

5. Harden ESXi and hypervisor environments

ESXi servers have become primary targets for ransomware groups. Restrict SSH access to ESXi hosts, enforce multi-factor authentication for administrative access, and monitor ESXi syslog for execution of esxcli enumeration commands outside of scheduled maintenance windows. Any vim-cmd vmsvc/getallvms execution from a non-administrative session should trigger an immediate alert and investigation.

6. Deploy endpoint detection with API-level visibility

Many sophisticated malware families collect system information through direct Windows API calls (GetSystemInfo, GetVersionEx, GetNativeSystemInfo, GetComputerNameEx) without spawning command-line processes. These calls are invisible to process-creation-based detection. Ensure your EDR solution provides API call monitoring and can flag unusual patterns of system enumeration API usage, particularly from unsigned processes or from directories that should not contain executables.

7. Restrict unnecessary access to WMI

WMI provides a rich attack surface for system enumeration. Use GPO to restrict WMI access to authorized administrative accounts and monitor for wmic execution from standard user accounts. Consider deploying WDAC (Windows Defender Application Control) rules that restrict wmic.exe execution to approved contexts, and log all WMI remote connections (Sysmon Event ID 19, 20, 21).

8. Monitor for output redirection and staging

Adversaries commonly redirect system information output to files for later exfiltration: systeminfo > %temp%\s.txt or wmic os get > C:\Users\Public\info.txt. Monitor for file creation events (Sysmon Event ID 11) in temporary and user-writable directories where the filename suggests system information output, and correlate these with preceding discovery command executions.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1082
Technique Name	System Information Discovery
Tactics	Discovery
Platforms	Windows, Linux, macOS, ESXi, IaaS, Network Devices
Sub-Techniques	None (no sub-techniques defined)
Data Sources	Process (Creation), Command (Execution), Instance (Metadata), OS API (Execution)
Version	3.0 (last modified October 2025)
MITRE Reference	attack.mitre.org/techniques/T1082

Sources and References

• MITRE ATT&CK — T1082 System Information Discovery: attack.mitre.org
• Picus Security — Red Report 2025 and T1082 System Information Discovery: picussecurity.com
• Picus Security — Red Report 2026 — Rise of the Digital Parasite: picussecurity.com
• Splunk Security Content — System Information Discovery Detection: research.splunk.com
• CISA/NSA — Volt Typhoon Advisory on Living Off the Land Techniques: cisa.gov
• Group-IB — APT41 World Tour 2021: group-ib.com
• Microsoft — Moonstone Sleet North Korean Threat Actor: microsoft.com