System Information Discovery
Detects system information discovery commands
Sigma rule (View on GitHub)
1title: System Information Discovery
2id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
3status: stable
4description: Detects system information discovery commands
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
7author: Ömer Günal, oscd.community
8date: 2020-10-08
9modified: 2021-09-14
10tags:
11 - attack.discovery
12 - attack.t1082
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith:
19 - '/uname'
20 - '/hostname'
21 - '/uptime'
22 - '/lspci'
23 - '/dmidecode'
24 - '/lscpu'
25 - '/lsmod'
26 condition: selection
27falsepositives:
28 - Legitimate administration activities
29level: informational
References
Related rules
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS
- Docker Container Discovery Via Dockerenv Listing
- Network Reconnaissance Activity