Adversaries may use system information discovery commands to gather details about the target environment, which can help them tailor further attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance activities early and prevent escalation to more severe compromises.
Detection Rule
title: System Information Discovery
id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
status: stable
description: Detects system information discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
author: Ömer Günal, oscd.community
date: 2020-10-08
modified: 2021-09-14
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/uname'
- '/hostname'
- '/uptime'
- '/lspci'
- '/dmidecode'
- '/lscpu'
- '/lsmod'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
imProcessCreate
| where TargetProcessName endswith "/uname" or TargetProcessName endswith "/hostname" or TargetProcessName endswith "/uptime" or TargetProcessName endswith "/lspci" or TargetProcessName endswith "/dmidecode" or TargetProcessName endswith "/lscpu" or TargetProcessName endswith "/lsmod"Scenario: System information is gathered during routine system health checks using PowerShell’s Get-WmiObject or Get-CimInstance to check for OS version and system uptime.
Filter/Exclusion: Exclude processes initiated by the system account (SYSTEM) or those with a command line containing Get-WmiObject or Get-CimInstance and targeting Win32_OperatingSystem or Win32_ComputerSystem.
Scenario: An administrator runs systeminfo in a command prompt to troubleshoot a service failure or verify system configuration.
Filter/Exclusion: Exclude processes with the command line containing systeminfo and executed by a known admin account (e.g., Administrator or Domain Admins).
Scenario: A scheduled job runs wbinfo or netdom to check domain controller status or synchronize time with a domain controller.
Filter/Exclusion: Exclude processes with command lines containing wbinfo or netdom and executed by domain controller services or scheduled tasks with a known purpose.
Scenario: A security tool like Sysmon or OSSEC runs a script to collect system information for logging or compliance purposes.
Filter/Exclusion: Exclude processes initiated by the security tool itself or those with command lines containing known monitoring or logging scripts.
Scenario: A DevOps pipeline runs a script to gather system metrics for CI/CD purposes using PowerShell or Bash scripts.
Filter/Exclusion: Exclude processes with command lines containing Get-OS or uname -a and executed by a known DevOps service account or from a specific CI/CD pipeline directory.