Description: Heatmap of instances of ATT&CK techniques referenced in recent, public CTI reporting around Prynt Infostealer (source links included in Notes per technique below).
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://app.tidalcyber.com/technique/3eafcd8b-0cb8-4d23-8785-3f80a3c897c7) while Windows installations include the [Windows Command Shell](https://app.tidalcyber.com/technique/be095bcc-4769-4010-b2db-3033d01efdbe) and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde).There are also cross-platform interpreters such as [Python](https://app.tidalcyber.com/technique/68fed1c9-e060-4c4d-83d9-d8c817893d65), as well as those commonly associated with client applications such as [JavaScript](https://app.tidalcyber.com/technique/8a669da8-8894-4fb0-9124-c3c8418985cc) and [Visual Basic](https://app.tidalcyber.com/technique/0340ed34-6db2-4979-bf73-2c16855867b4).Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://app.tidalcyber.com/tactics/586a5b49-c566-4a57-beb4-e7c667f9c34c) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) in order to achieve remote Execution.[[Powershell Remote Commands](https://app.tidalcyber.com/references/24c526e1-7199-45ca-99b4-75e75c7041cd)][[Cisco IOS Software Integrity Assurance – Command History](https://app.tidalcyber.com/references/dbca06dd-1184-4d52-9ee8-b059e368033c)][[Remote Shell Execution in Python](https://app.tidalcyber.com/references/4ea54256-42f9-4b35-8f9e-e595ab9be9ce)]
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.[[Microsoft CryptUnprotectData April 2018](https://app.tidalcyber.com/references/258088ae-96c2-4520-8eb5-1a7e540a9a24)]Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[[Proofpoint Vega Credential Stealer May 2018](https://app.tidalcyber.com/references/c52fe62f-4df4-43b0-a126-2df07dc61fc0)][[FireEye HawkEye Malware July 2017](https://app.tidalcyber.com/references/7ad228a8-5450-45ec-86fc-ea038f7c6ef7)] Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://app.tidalcyber.com/technique/9503955c-fa53-452a-b717-7e23bfb4df83).
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[[GitHub Mimikittenz July 2016](https://app.tidalcyber.com/references/2e0a95b2-3f9a-4638-9bc5-ff1f3ac2af4b)]
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd).[[LOLBAS Main Site](https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)]
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) may be used for local or remote Registry modification. [[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) or other utilities using the Win32 API. [[Microsoft Reghide NOV 2006](https://app.tidalcyber.com/references/42503ec7-f5da-4116-a3b3-a1b18a66eed3)] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. [[TrendMicro POWELIKS AUG 2014](https://app.tidalcyber.com/references/4a42df15-4d09-4f4f-8333-2b41356fdb80)][[SpectorOps Hiding Reg Jul 2017](https://app.tidalcyber.com/references/877a5ae4-ec5f-4f53-b69d-ba74ff9e1619)]
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. [[Microsoft Remote](https://app.tidalcyber.com/references/331d59e3-ce7f-483c-b77d-001c8a9ae1df)] Often [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) are required, along with access to the remote system’s [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) for RPC communication.
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.[[NT API Windows](https://app.tidalcyber.com/references/306f7da7-caa2-40bf-a3db-e579c541eeb4)][[Linux Kernel API](https://app.tidalcyber.com/references/0a30d54e-187a-43e0-9725-3c80aa1c7619)] These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.[[OutFlank System Calls](https://app.tidalcyber.com/references/c4c3370a-2d6b-4ebd-961e-58d584066377)][[CyberBit System Calls](https://app.tidalcyber.com/references/c13cf528-2a7d-4a32-aee2-db5db2f30298)][[MDSec System Calls](https://app.tidalcyber.com/references/b461e226-1317-4ce4-a195-ba4c4957db99)] For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.[[Microsoft CreateProcess](https://app.tidalcyber.com/references/aa336e3a-464d-48ce-bebb-760b73764610)][[GNU Fork](https://app.tidalcyber.com/references/c46331cb-328a-46e3-89c4-e43fa345d6e8)] This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.[[Microsoft Win32](https://app.tidalcyber.com/references/585b9975-3cfb-4485-a9eb-5eea337ebd3c)][[LIBC](https://app.tidalcyber.com/references/a3fe6ea5-c443-473a-bb13-b4fd8f4923fd)][[GLIBC](https://app.tidalcyber.com/references/75a6a1bf-a5a7-419d-b290-6662aeddb7eb)]Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.[[Microsoft NET](https://app.tidalcyber.com/references/b4727044-51bb-43b3-afdb-515bb4bb0f7e)][[Apple Core Services](https://app.tidalcyber.com/references/0ef05e47-1305-4715-a677-67f1b55b24a3)][[MACOS Cocoa](https://app.tidalcyber.com/references/6ada4c6a-23dc-4469-a3a1-1d3b4935db97)][[macOS Foundation](https://app.tidalcyber.com/references/ea194268-0a8f-4494-be09-ef5f679f68fe)]
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6)).
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or Get-Process via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show processes` can be used to display current running processes.[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)][[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.The Registry contains a significant amount of information about the operating system, configuration, software, and security.[[Wikipedia Windows Registry](https://app.tidalcyber.com/references/656f0ffd-33e0-40ef-bdf7-70758f855f18)] Information can easily be queried using the [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://app.tidalcyber.com/technique/58722f84-b119-45a8-8e29-0065688015ee) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.[[CopyFromScreen .NET](https://app.tidalcyber.com/references/b9733af4-ffb4-416e-884e-d51649aecbce)][[Antiquated Mac Malware](https://app.tidalcyber.com/references/165edb01-2681-45a3-b76b-4eb7dee5dab9)]
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).[[Auth0 – Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)] OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]
Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft’s Authorization Code Grant flow.[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)][[Microsoft – OAuth Code Authorization flow – June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user’s OAuth token.[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)][[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)] The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[[Microsoft – Azure AD App Registration – May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)] Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).[[Microsoft – Azure AD Identity Tokens – Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]
Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)], allowing them to obtain new access tokens without prompting the user.
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]There are several examples of malware targeting cookies from web browsers on the local system.[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)] There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)][[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]
After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) during automated discovery to shape follow-on behaviors.[[Deloitte Environment Awareness](https://app.tidalcyber.com/references/af842a1f-8f39-4b4f-b4d2-0bbb810e6c31)]Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a), [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde), [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea), and [Query Registry](https://app.tidalcyber.com/technique/58722f84-b119-45a8-8e29-0065688015ee) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.
Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.[[McAfee Virtual Jan 2017](https://app.tidalcyber.com/references/a541a027-733c-438f-a723-6f7e8e6f354c)] In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.
Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.[[Unit 42 OilRig Sept 2018](https://app.tidalcyber.com/references/84815940-b98a-4f5c-82fe-7d8bf2f51a09)]
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Tools such as [Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather detailed system information (e.g. show version).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)] [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.[[OSX.FairyTale](https://app.tidalcyber.com/references/27f8ad45-53d2-48ba-b549-f7674cf9c2e7)][[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)][[Google Instances Resource](https://app.tidalcyber.com/references/9733447c-072f-4da8-9cc7-0a0ce6a3b820)][[Microsoft Virutal Machine API](https://app.tidalcyber.com/references/f565c237-07c5-4e9e-9879-513627517109)]
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)][[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)][[Bleepingcomputer RAT malware 2020](https://app.tidalcyber.com/references/a587ea99-a951-4aa8-a3cf-a4822ae97490)] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)] In cloud environments, an instance’s availability zone may also be discovered by accessing the instance metadata service from the instance.[[AWS Instance Identity Documents](https://app.tidalcyber.com/references/efff0080-59fc-4ba7-ac91-771358f68405)][[Microsoft Azure Instance Metadata 2021](https://app.tidalcyber.com/references/66e93b75-0067-4cdb-b695-8f8109ef26e0)]Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[[Securelist Trasparent Tribe 2020](https://app.tidalcyber.com/references/0db470b1-ab22-4b67-a858-472e4de7c6f0)][[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)]
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.Adversaries may use the information from [System Service Discovery](https://app.tidalcyber.com/technique/e0a347e2-2ac5-458b-ab0f-18d81b6d6055) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)][[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]System time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using w32tm /tz.[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show clock detail` can be used to see the current time configuration.[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]
This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)[[RSA EU12 They’re Inside](https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)], or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).While [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). For example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
