System and Hardware Information Discovery
Detects system information discovery commands
Sigma rule (View on GitHub)
1title: System and Hardware Information Discovery
2id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
3related:
4 - id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
5 type: derived
6status: stable
7description: Detects system information discovery commands
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware
10author: Ömer Günal, oscd.community
11date: 2020-10-08
12modified: 2022-11-26
13tags:
14 - attack.discovery
15 - attack.t1082
16logsource:
17 product: linux
18 service: auditd
19detection:
20 selection:
21 type: 'PATH'
22 name:
23 - '/sys/class/dmi/id/bios_version'
24 - '/sys/class/dmi/id/product_name'
25 - '/sys/class/dmi/id/chassis_vendor'
26 - '/proc/scsi/scsi'
27 - '/proc/ide/hd0/model'
28 - '/proc/version'
29 - '/etc/*version'
30 - '/etc/*release'
31 - '/etc/issue'
32 condition: selection
33falsepositives:
34 - Legitimate administration activities
35level: informational
References
Related rules
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS
- Docker Container Discovery Via Dockerenv Listing
- Network Reconnaissance Activity