System Information Discovery - Auditd
Detects System Information Discovery commands
Sigma rule (View on GitHub)
1title: System Information Discovery - Auditd
2id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
3status: test
4description: Detects System Information Discovery commands
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
7author: Pawel Mazur
8date: 2021-09-03
9modified: 2023-03-06
10tags:
11 - attack.discovery
12 - attack.t1082
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection_1:
18 type: PATH
19 name:
20 - /etc/lsb-release
21 - /etc/redhat-release
22 - /etc/issue
23 selection_2:
24 type: EXECVE
25 a0:
26 - uname
27 - uptime
28 - lsmod
29 - hostname
30 - env
31 selection_3:
32 type: EXECVE
33 a0: grep
34 a1|contains:
35 - vbox
36 - vm
37 - xen
38 - virtio
39 - hv
40 selection_4:
41 type: EXECVE
42 a0: kmod
43 a1: list
44 condition: 1 of selection_*
45falsepositives:
46 - Likely
47level: low
References
Related rules
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS
- Docker Container Discovery Via Dockerenv Listing
- Network Reconnaissance Activity