systeminfo.exe

  • File Path: C:\Windows\system32\systeminfo.exe
  • Description: Displays system information

Hashes

Type Hash
MD5 F2D7816271A27223945E8AE24B6F81F7
SHA1 B1A8FB81070A8E5B1A389BB825BED7F9CB4BAE98
SHA256 1084ADF2DDBE903BD71A496720B0D6616882F120D1B3FFEAE8D47FEB0D9CC123
SHA384 8C11CE27E114F2816BFA46DFEE23A2EF3C46ADA7E1730163AB81CC29D70EF0D87425864BECFEC2844F72AD7645C88DBD
SHA512 0B308FDD3E617B104DB0A65DA7D269A199EEA3F829027C59506917B9ED543655787BACACED7BAEAC2BB786E2D276BEEFA673F96D1F036CF97EDFE14AF95E78C9
SSDEEP 1536:xMHrgDS5e4ZpCSoeuktTZXrHkpb+AXIpFkDpQfM0Gff3JyYcpliIjIep6KCNxji7:xsgDSgdEEnIpFkX0Gf/poIesKex27
IMP C5985EAB8C1ED292344936A4595C1438
PESHA1 160EC3FAF1C0265584CF7428642A4248F052CEC5
PE256 094871EB27C44FA77F0E9C7830D4F960ADF6A64D263D8A228A9F410D69BB36B4

Runtime Data

Usage (stdout):


SYSTEMINFO [/S system [/U username [/P [password]]]] [/FO format] [/NH]

Description:
    This tool displays operating system configuration information for
    a local or remote machine, including service pack levels.

Parameter List:
    /S      system           Specifies the remote system to connect to.

    /U      [domain\]user    Specifies the user context under which
                             the command should execute.

    /P      [password]       Specifies the password for the given
                             user context. Prompts for input if omitted.

    /FO     format           Specifies the format in which the output
                             is to be displayed.
                             Valid values: "TABLE", "LIST", "CSV".

    /NH                      Specifies that the "Column Header" should
                             not be displayed in the output.
                             Valid only for "TABLE" and "CSV" formats.

    /?                       Displays this help message.

Examples:
    SYSTEMINFO
    SYSTEMINFO /?
    SYSTEMINFO /S system
    SYSTEMINFO /S system /U user
    SYSTEMINFO /S system /U domain\user /P password /FO TABLE
    SYSTEMINFO /S system /FO LIST
    SYSTEMINFO /S system /FO CSV /NH

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "SYSTEMINFO /?" for usage.

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sysinfo.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/1084adf2ddbe903bd71a496720b0d6616882f120d1b3ffeae8d47feb0d9cc123/detection/

Possible Misuse

The following table contains possible examples of systeminfo.exe being misused. While systeminfo.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'systeminfo' DRL 1.0
sigma image_load_wmi_module_load.yml - '\systeminfo.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - systeminfo.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - '\systeminfo.exe' DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - systeminfo DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml title: Suspicious Execution of Systeminfo DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml description: Use of systeminfo to get information DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml Image\|endswith: \systeminfo.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\systeminfo.exe' DRL 1.0
LOLBAS Stordiag.yml Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.  
LOLBAS Stordiag.yml - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\  
malware-ioc backdoordiplomacy * systeminfo.oicp.net``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc backdoordiplomacy * systeminfo.myftp.name``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc backdoordiplomacy * systeminfo.cleansite.info``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Windows\n\nExample commands and utilities that obtain this information include <code>ver</code>, [Systeminfo](https://attack.mitre.org/software/S0096), and <code>dir</code> within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and directories.\n\n### Mac\n\nOn Mac, the <code>systemsetup</code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler</code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.\n\n### AWS\n\nIn Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual machines, software, and software dependencies running.(Citation: Amazon System Discovery)\n\n### GCP\n\nOn Google Cloud Platform (GCP) <code>GET /v1beta1/{parent=organizations/*}/assets</code> or <code>POST /v1beta1/{parent=organizations/*}/assets:runDiscovery</code> may be used to list an organizations cloud assets, or perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard)\n\n### Azure\n\nIn Azure, the API request <code>GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01</code> may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal Machine API)", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.\n\nAdversaries may use several methods including [Security Software Discovery](https://attack.mitre.org/techniques/T1063) to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes. (Citation: Unit 42 Pirpi July 2015)\n\n###Virtual Machine Environment Artifacts Discovery###\n\nAdversaries may use utilities such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1086), [Systeminfo](https://attack.mitre.org/software/S0096), and the [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and/or the Registry. Adversaries may use [Scripting](https://attack.mitre.org/techniques/T1064) to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function. \n\nExample VME Artifacts in the Registry(Citation: McAfee Virtual Jan 2017)\n\n* <code>HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions</code>\n* <code>HKLM\\HARDWARE\\Description\\System\\”SystemBiosVersion”;”VMWARE”</code>\n* <code>HKLM\\HARDWARE\\ACPI\\DSDT\\BOX_</code>\n\nExample VME files and DLLs on the system(Citation: McAfee Virtual Jan 2017)\n\n* <code>WINDOWS\\system32\\drivers\\vmmouse.sys</code> \n* <code>WINDOWS\\system32\\vboxhook.dll</code>\n* <code>Windows\\system32\\vboxdisp.dll</code>\n\nCommon checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017)\n\n###User Activity Discovery###\n\nAdversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it’s a sandboxed environment.(Citation: Sans Virtual Jan 2016) Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) and waiting for a user to double click on an embedded image to activate (Citation: FireEye FIN7 April 2017).\n\n###Virtual Hardware Fingerprinting Discovery###\n\nAdversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query <code>$q = “Select * from Win32_Fan” Get-WmiObject -Query $q</code>. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one. (Citation: Unit 42 OilRig Sept 2018)", © ESET 2014-2018
malware-ioc oceanlotus-macOS.misp.event.json "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\n\n### Windows\n\nExample commands and utilities that obtain this information include <code>ver<\/code>, [Systeminfo](https:\/\/attack.mitre.org\/software\/S0096), and <code>dir<\/code> within [cmd](https:\/\/attack.mitre.org\/software\/S0106) for identifying information based on present files and directories.\n\n### Mac\n\nOn Mac, the <code>systemsetup<\/code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler<\/code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\n\n===Windows===\n\nExample commands and utilities that obtain this information include <code>ver<\/code>, Systeminfo, and <code>dir<\/code> within cmd for identifying information based on present files and directories.\n\n===Mac===\n\nOn Mac, the <code>systemsetup<\/code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler<\/code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", © ESET 2014-2018
atomic-red-team T1082.md Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges. MIT License. © 2018 Red Canary
atomic-red-team T1082.md systeminfo MIT License. © 2018 Red Canary
signature-base apt_casper.yar $a1 = “& SYSTEMINFO) ELSE EXIT” CC BY-NC 4.0
signature-base apt_golddragon.yar $s2 = “/c systeminfo » %s” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $s1 = “cmd.exe /c systeminfo “ fullword ascii CC BY-NC 4.0
signature-base apt_keylogger_cn.yar $s1 = “\cmd.exe /c "systeminfo.exe » “ fullword ascii CC BY-NC 4.0
signature-base apt_op_honeybee.yar $s2 = “cmd /c systeminfo >%s” fullword ascii CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar $s5 = “53595354454D494E464F2026205441534B4C495354” ascii /* hex encoded string ‘SYSTEMINFO & TASKLIST’ */ CC BY-NC 4.0
signature-base gen_crimson_rat.yar $x3 = “cmd.exe/c systeminfo » 1.txt” fullword wide CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $a5 = “SystemInfo” CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s6 = “systeminfo” ascii CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “systeminfo” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


systeminfo

Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards).

Syntax

systeminfo [/s <computer> [/u <domain>\<username> [/p <password>]]] [/fo {TABLE | LIST | CSV}] [/nh]

Parameters

Parameter Description
/s <computer> Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u <domain>\<username> Runs the command with the account permissions of the specified user account. If /u is not specified, this command uses the permissions of the user who is currently logged on to the computer that is issuing the command.
/p <password> Specifies the password of the user account that is specified in the /u parameter.
/fo <format> Specifies the output format with one of the following values:<ul><li>TABLE - Displays output in a table.</li><li>LIST - Displays output in a list.</li><li>CSV - Displays output in comma-separated values (.csv) format.</li></ul>
/nh Suppresses column headers in the output. Valid when the /fo parameter is set to TABLE or CSV.
/? Displays help at the command prompt.

Examples

To view configuration information for a computer named Srvmain, type:

systeminfo /s srvmain

To remotely view configuration information for a computer named Srvmain2 that is located on the Maindom domain, type:

systeminfo /s srvmain2 /u maindom\hiropln

To remotely view configuration information (in list format) for a computer named Srvmain2 that is located on the Maindom domain, type:

systeminfo /s srvmain2 /u maindom\hiropln /p p@ssW23 /fo list

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.