System Info Discovery via Sysinfo Syscall

calendar Jun 5, 2025 · attack.discovery attack.t1057 attack.t1082  ·
Share on: linkedin copy

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.

Sigma rule (View on GitHub)

 1title: System Info Discovery via Sysinfo Syscall
 2id: b207d563-a1d9-4275-b349-77d1eb55aa6d
 3status: experimental
 4description: |
 5    Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
 6    Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.    
 7references:
 8    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
 9    - https://man7.org/linux/man-pages/man2/sysinfo.2.html
10author: Milad Cheraghi
11date: 2025-05-30
12tags:
13    - attack.discovery
14    - attack.t1057
15    - attack.t1082
16logsource:
17    product: linux
18    service: auditd
19    definition: |
20        Required auditd configuration:
21        -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
22        -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall        
23detection:
24    selection:
25        type: 'SYSCALL'
26        syscall: 'sysinfo'
27    filter_optional_splunk:
28        exe|endswith: '/bin/splunkd'
29    condition: selection and not 1 of filter_optional_*
30falsepositives:
31    - Legitimate administrative activity
32level: low

References

Related rules

to-top