OSInfo

OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. ^[1]

ID: S0165

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 16 January 2018

Last Modified: 18 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1069	.001	权限组发现: Local Groups	OSInfo has enumerated the local administrators group.^[1]
		.002	权限组发现: Domain Groups	OSInfo specifically looks for Domain Admins and power users within the domain.^[1]
Enterprise	T1012		查询注册表	OSInfo queries the registry to look for information about Terminal Services.^[1]
Enterprise	T1082		系统信息发现	OSInfo discovers information about the infected machine.^[1]
Enterprise	T1049		系统网络连接发现	OSInfo enumerates the current network connections similar to `net use` .^[1]
Enterprise	T1016		系统网络配置发现	OSInfo discovers the current domain information.^[1]
Enterprise	T1135		网络共享发现	OSInfo discovers shares on the network^[1]
Enterprise	T1087	.001	账号发现: Local Account	OSInfo enumerates local and domain users^[1]
		.002	账号发现: Domain Account	OSInfo enumerates local and domain users^[1]
Enterprise	T1018		远程系统发现	OSInfo performs a connection test to discover remote systems in the network^[1]

Groups That Use This Software

ID	Name	References
G0022	APT3	^[1]

References

Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.