System and Hardware Information Discovery

Detects system information discovery commands

Sigma rule (View on GitHub)

 1title: System and Hardware Information Discovery
 2id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
 3related:
 4    - id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
 5      type: derived
 6status: stable
 7description: Detects system information discovery commands
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware
10author: Ömer Günal, oscd.community
11date: 2020/10/08
12modified: 2022/11/26
13tags:
14    - attack.discovery
15    - attack.t1082
16logsource:
17    product: linux
18    service: auditd
19detection:
20    selection:
21        type: 'PATH'
22        name:
23            - '/sys/class/dmi/id/bios_version'
24            - '/sys/class/dmi/id/product_name'
25            - '/sys/class/dmi/id/chassis_vendor'
26            - '/proc/scsi/scsi'
27            - '/proc/ide/hd0/model'
28            - '/proc/version'
29            - '/etc/*version'
30            - '/etc/*release'
31            - '/etc/issue'
32    condition: selection
33falsepositives:
34    - Legitimate administration activities
35level: informational

References

Related rules

to-top