keyboy systeminfo

Hunt Hypothesis

The keyboy_systeminfo rule detects potential adversary use of a custom tool to gather system information, which may indicate reconnaissance or initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage threats and prevent further lateral movement or data exfiltration.

YARA Rule

rule keyboy_systeminfo
{

    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Matches the system information format before sending to C2"
        date = "2016-08-28"
        md5 = "495adb1b9777002ecfe22aaf52fcee93"

    strings:
        //These strings are ASCII pre-2015 and UNICODE in 2016
        $s1 = "SystemVersion:    %s" ascii wide
        $s2 = "Product  ID:      %s" ascii wide
        $s3 = "InstallPath:      %s" ascii wide
        $s4 = "InstallTime:      %d-%d-%d, %02d:%02d:%02d" ascii wide
        $s5 = "ResgisterGroup:   %s" ascii wide
        $s6 = "RegisterUser:     %s" ascii wide
        $s7 = "ComputerName:     %s" ascii wide
        $s8 = "WindowsDirectory: %s" ascii wide
        $s9 = "System Directory: %s" ascii wide
        $s10 = "Number of Processors:       %d" ascii wide
        $s11 = "CPU[%d]:  %s: %sMHz" ascii wide
        $s12 = "RAM:         %dMB Total, %dMB Free." ascii wide
        $s13 = "DisplayMode: %d x %d, %dHz, %dbit" ascii wide
        $s14 = "Uptime:      %d Days %02u:%02u:%02u" ascii wide

    condition:
        //MZ header //PE signature
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and 7 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System information is collected as part of a scheduled maintenance task using PowerShell script Get-SystemInfo.ps1
  Filter/Exclusion: process.name != "powershell.exe" or process.args not contains "Get-SystemInfo.ps1"

• Scenario: A system administrator runs System Information tool (msinfo32.exe) to troubleshoot a hardware issue
  Filter/Exclusion: process.name != "msinfo32.exe" or process.user != "Administrator"

• Scenario: A Windows Update task triggers a systeminfo call during patch deployment
  Filter/Exclusion: process.name != "svchost.exe" or process.parent.name != "svchost.exe" and process.args not contains "wuauclt.exe"

• Scenario: A third-party monitoring tool like Nagios or Zabbix executes a systeminfo command to check system health
  Filter/Exclusion: process.name not in ("nagios.exe", "zabbix_agentd.exe") or process.parent.name != "nagios.exe"

• Scenario: A Windows Task Scheduler job runs a script to gather system metrics for reporting purposes
  Filter/Exclusion: process.parent.name != "schtasks.exe" or process.args not contains "SystemMetricsReport.ps1"