System Info Discovery via Sysinfo Syscall

calendar Dec 8, 2025 · attack.discovery attack.t1057 attack.t1082  ·
Share on: linkedin copy

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.

Sigma rule (View on GitHub)

 1title: System Info Discovery via Sysinfo Syscall
 2id: b207d563-a1d9-4275-b349-77d1eb55aa6d
 3status: experimental
 4description: |
 5    Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
 6    Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.    
 7references:
 8    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
 9    - https://man7.org/linux/man-pages/man2/sysinfo.2.html
10author: Milad Cheraghi
11date: 2025-05-30
12modified: 2025-12-05
13tags:
14    - attack.discovery
15    - attack.t1057
16    - attack.t1082
17logsource:
18    product: linux
19    service: auditd
20    definition: |
21        Required auditd configuration:
22        -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
23        -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall        
24detection:
25    selection:
26        type: 'SYSCALL'
27        SYSCALL: 'sysinfo'
28    filter_optional_splunk:
29        exe|endswith: '/bin/splunkd'
30    condition: selection and not 1 of filter_optional_*
31falsepositives:
32    - Legitimate administrative activity
33level: low

References

Related rules

to-top