MITRE ATT&CK Technique
Description
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from [Local Storage Discovery](https://attack.mitre.org/techniques/T1680) which is an adversary's discovery of local drive, disks and/or volumes. Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. Adversaries may leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get` and `system version get`.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis) Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:04.307Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may attempt to get detailed information about '
'the operating system and hardware, including version, '
'patches, hotfixes, service packs, and architecture. '
'Adversaries may use this information to shape follow-on '
'behaviors, including whether or not the adversary fully '
'infects the target and/or attempts specific actions. This '
'behavior is distinct from [Local Storage '
'Discovery](https://attack.mitre.org/techniques/T1680) which '
"is an adversary's discovery of local drive, disks and/or "
'volumes.\n'
'\n'
'Tools such as '
'[Systeminfo](https://attack.mitre.org/software/S0096) can be '
'used to gather detailed system information. If running with '
'privileged access, a breakdown of system data can be gathered '
'through the <code>systemsetup</code> configuration tool on '
'macOS. Adversaries may leverage a [Network Device '
'CLI](https://attack.mitre.org/techniques/T1059/008) on '
'network devices to gather detailed system information (e.g. '
'<code>show version</code>).(Citation: US-CERT-TA18-106A) On '
'ESXi servers, threat actors may gather system information '
'from various esxcli utilities, such as `system hostname get` '
'and `system version get`.(Citation: Crowdstrike Hypervisor '
'Jackpotting Pt 2 2021)(Citation: Varonis)\n'
'\n'
'Infrastructure as a Service (IaaS) cloud providers such as '
'AWS, GCP, and Azure allow access to instance and virtual '
'machine information via APIs. Successful authenticated API '
'calls can return data such as the operating system platform '
'and status of a particular instance or the model view of a '
'virtual machine.(Citation: Amazon Describe '
'Instance)(Citation: Google Instances Resource)(Citation: '
'Microsoft Virutal Machine API)\n'
'\n'
'[System Information '
'Discovery](https://attack.mitre.org/techniques/T1082) '
'combined with information gathered from other forms of '
'discovery and reconnaissance can drive payload development '
'and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS '
'Common Tools and Techniques) ',
'external_references': [{'external_id': 'T1082',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1082'},
{'description': 'Amazon. (n.d.). '
'describe-instance-information. '
'Retrieved March 3, 2020.',
'source_name': 'Amazon Describe Instance',
'url': 'https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html'},
{'description': 'Google. (n.d.). Rest Resource: '
'instance. Retrieved March 3, 2020.',
'source_name': 'Google Instances Resource',
'url': 'https://cloud.google.com/compute/docs/reference/rest/v1/instances'},
{'description': 'Jason Hill. (2023, February 8). '
'VMware ESXi in the Line of '
'Ransomware Fire. Retrieved March 26, '
'2025.',
'source_name': 'Varonis',
'url': 'https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire'},
{'description': 'Michael Dawson. (2021, August 30). '
'Hypervisor Jackpotting, Part 2: '
'eCrime Actors Increase Targeting of '
'ESXi Servers with Ransomware. '
'Retrieved March 26, 2025.',
'source_name': 'Crowdstrike Hypervisor Jackpotting '
'Pt 2 2021',
'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'},
{'description': 'Microsoft. (2019, March 1). Virtual '
'Machines - Get. Retrieved October 8, '
'2019.',
'source_name': 'Microsoft Virutal Machine API',
'url': 'https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get'},
{'description': 'Phil Stokes. (2021, February 16). 20 '
'Common Tools & Techniques Used by '
'macOS Threat Actors & Malware. '
'Retrieved August 23, 2021.',
'source_name': '20 macOS Common Tools and Techniques',
'url': 'https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/'},
{'description': 'Phile Stokes. (2018, September 20). '
'On the Trail of OSX.FairyTale | '
'Adware Playing at Malware. Retrieved '
'August 24, 2021.',
'source_name': 'OSX.FairyTale',
'url': 'https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/'},
{'description': 'US-CERT. (2018, April 20). Alert '
'(TA18-106A) Russian State-Sponsored '
'Cyber Actors Targeting Network '
'Infrastructure Devices. Retrieved '
'October 19, 2020.',
'source_name': 'US-CERT-TA18-106A',
'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'}],
'id': 'attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:48:38.277Z',
'name': 'System Information Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Maril Vernon @shewhohacks',
'Praetorian',
'Austin Clark, @c2defense'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi',
'IaaS',
'Linux',
'macOS',
'Network Devices',
'Windows'],
'x_mitre_version': '3.0'}