S0165: OSInfo
Analyst context for executives and security teams
OSInfo is a Windows custom discovery tool described by MITRE as used by APT3 to collect internal information about a victim computer and network. Its business significance is not the tool name itself, but the reconnaissance pattern: account, group, registry, system, network connection, remote system, and share discovery can help an intruder understand where valuable data and privileged paths exist before lateral movement or collection.
Executive priority
Treat OSInfo-style activity as an early warning that an endpoint may be in the mapping phase of an intrusion. Leadership should ask whether Windows endpoint, identity, and network-share telemetry can show who queried systems, accounts, groups, registry data, network connections, and shares; whether privileged account exposure is measurable; and whether incident responders can quickly distinguish legitimate administration from suspicious discovery. This supports resilience planning, audit evidence for monitoring, and prioritization of identity and endpoint visibility controls.
Technical view
MITRE provides no dedicated detection text for OSInfo, so SOC validation should pivot from the software object to its relationships: Query Registry, System Network Configuration Discovery, Remote System Discovery, System Network Connections Discovery, Local and Domain Groups, System Information Discovery, Local and Domain Account Discovery, and Network Share Discovery. On Windows, detection engineering should validate visibility into command/process execution, registry queries, account and group enumeration, domain lookups, network connection listing, remote host enumeration, and SMB/share discovery. Analysts should correlate bursts of these discovery behaviors from the same host, user, or process lineage, especially when performed outside normal administrative context.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Registry access or registry query telemetry
- Local user and local group enumeration evidence
- Domain user and domain group query evidence from endpoints and directory services
- Network connection enumeration evidence from the host
Detection direction
- Build detections around clusters of discovery behaviors rather than the OSInfo name alone, since the official object does not provide indicators or detection logic.
- Baseline legitimate administrative discovery tools and scripts to reduce false positives from help desk, IT operations, inventory, and vulnerability management activity.
- Correlate account/group enumeration with network and share discovery from the same Windows endpoint to identify reconnaissance chains.
- Validate whether EDR, Windows logging, and directory telemetry preserve command line, parent process, user, host, and remote target context needed for triage.
- Review blind spots around unmanaged Windows hosts, limited command-line logging, missing registry telemetry, and incomplete SMB/share visibility.
Mitigation priorities
- Prioritize visibility first: ensure Windows endpoint and identity logs can capture the discovery behaviors represented by the related ATT&CK techniques.
- Reduce excessive local and domain privileges so account and group discovery yields less useful escalation information.
- Harden and review network shares, especially broadly accessible shares that could guide follow-on collection or lateral movement.
- Segment networks and limit unnecessary host-to-host discovery paths where operationally feasible.
- Prepare incident response playbooks for discovery-stage alerts, including rapid host isolation criteria, account review, and scoping of related enumeration activity.
Analyst notes and limits
The supplied ATT&CK object identifies OSInfo as a Windows custom tool used by APT3 for internal discovery, with relationships to multiple discovery techniques. Because the object lacks aliases, labels, tactics, indicators, and official detection guidance, defensive value comes from mapping the related techniques to local telemetry and normal administrative behavior.
This take is limited to the supplied MITRE fields, external reference, and relationships. It does not establish current activity, customer exposure, exploitability, or guaranteed detection. Local environment baselines are required to separate authorized administration from suspicious discovery.
OSInfo
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1087.001 | Local Account Sub-technique | OSInfo enumerates local and domain usersCitationSymantec Buckeye |
| Enterprise | T1012 | Query Registry | OSInfo queries the registry to look for information about Terminal Services.CitationSymantec Buckeye |
| Enterprise | T1082 | System Information Discovery | OSInfo discovers information about the infected machine.CitationSymantec Buckeye |
| Enterprise | T1049 | System Network Connections Discovery | OSInfo enumerates the current network connections similar to |
| Enterprise | T1018 | Remote System Discovery | OSInfo performs a connection test to discover remote systems in the networkCitationSymantec Buckeye |
| Enterprise | T1069.002 | Domain Groups Sub-technique | OSInfo specifically looks for Domain Admins and power users within the domain.CitationSymantec Buckeye |
| Enterprise | T1087.002 | Domain Account Sub-technique | OSInfo enumerates local and domain usersCitationSymantec Buckeye |
| Enterprise | T1069.001 | Local Groups Sub-technique | OSInfo has enumerated the local administrators group.CitationSymantec Buckeye |
| Enterprise | T1135 | Network Share Discovery | OSInfo discovers shares on the networkCitationSymantec Buckeye |
| Enterprise | T1016 | System Network Configuration Discovery | OSInfo discovers the current domain information.CitationSymantec Buckeye |
Groups, software, and campaigns
G0022: APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9716c073ee55… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Buckeye
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
Open source URL -
[2]
mitre-attack S0165Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.