Attackers Collect System Information Using Built-in Tools

Cybersecurity firm Picus Security has released an analysis detailing how adversaries exploit built-in operating system tools to gather information about compromised systems, a technique known as "System Information Discovery" (T1082).

The firm's report indicates this tactic was the seventh most prevalent among identified attack methods in 2025. Attackers use this method to collect details such as operating system versions, hardware specifications, and network configurations. This reconnaissance helps attackers identify vulnerabilities and optimize their attack strategies.

Picus Security notes that attackers frequently utilize "living-off-the-land" binaries (LOLBins) and native tools. Because these tools are part of the standard OS, they allow attackers to operate stealthily, mimicking legitimate system activity and making detection more difficult.

Commonly used commands for information gathering include systeminfo on Windows, systemsetup or system_profiler on macOS, and uname or sysinfo on Linux. The data gathered through these commands aids attackers in tailoring their tools and methods to the target environment.

Picus Security emphasizes that understanding these techniques is crucial for organizations aiming to effectively protect their systems and infrastructure against evolving cyber threats.