System Information Discovery

 1title: System Information Discovery
 2id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
 3status: stable
 4description: Detects system information discovery commands
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
 7author: Ömer Günal, oscd.community
 8date: 2020-10-08
 9modified: 2021-09-14
10tags:
11    - attack.discovery
12    - attack.t1082
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith:
19            - '/uname'
20            - '/hostname'
21            - '/uptime'
22            - '/lspci'
23            - '/dmidecode'
24            - '/lscpu'
25            - '/lsmod'
26    condition: selection
27falsepositives:
28    - Legitimate administration activities
29level: informational

References

• atomic-red-team/atomics/T1082/T1082.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Bitbucket User Details Export Attempt Detected
• Cisco Discovery
• Container Residence Discovery Via Proc Virtual FS
• Docker Container Discovery Via Dockerenv Listing
• HackTool - PCHunter Execution