System Information Discovery T1082

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

Events covered

6 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 64 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (27 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine39contains 23, regex_match 11, match 5, ends_with 1, eq 1, in 1(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(conf..., (?i)(\s+|^)(systeminfo|reg\s+query|hostname|set)(\.exe)?(\s+|$), (?i)\s(os|logicaldisk|share|cpu|memorychip|useraccount|ni..., (?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery..., (?i)((whoami)|(dir)|(hostname)|(hostname)|(systeminfo)|(i...
EventID26eq 264688, 1, 4104, 4103, 4799
process_name24eq 13, match 6, regex_match 4, in 1wmic.exe, arp.exe, (?i)ipconfig.exe, (?i)net1?.exe, (?i)nltest.exe
OriginalFileName18eq 17, in 1wmic.exe, cmd.exe, fsutil.exe, netsh.exe, pchunter.exe
Image16ends_with 15, regex_match 1\wmic.exe, \reg.exe, \\winpeas\.exe|\\winpeasany\.exe|\\winpeasany_ofs\.exe|\\..., \auditpol.exe, \cmd.exe
Type9eq 9
event.type7eq 7start
parent_process_name7eq 3, regex_match 2, in 1, match 1, starts_with 1(?i)(powershell|pwsh)\.exe, (?i)(powershell\.exe)|(cmd\.exe), AcroRd32.exe, Acrobat.exe, FoxitPhantomPDF.exe
dc_process6gt 63, 5
Description4eq 4WMI Commandline Utility, Epoolsoft Windows Information View Tools, System Informer
dc_process_name4gt 41, 2
ParentCommandLine3contains 1, ends_with 1, regex_match 1 -linpeas, -linpeas$, \vmware\vmware tools\servicediscovery\scripts\
ScriptBlockText3contains 2, in 1*get-clipboardtext*, *returnhotfixid*, *start-aclcheck*, api.ipify.org, invoke-restmethod
process.args3eq 3, starts_with 1, wildcard 1/c, dir, get, key*clear, os
Hashes2contains 2imphash=0479f44df47cfa2ef1ccc4416a538663, imphash=444d210cea1ff8112f256a4997eed7ff, imphash=b68908adaeb5d662f87f2528af318f12, md5=19426363a37c03c3ed6fedf57b6696ec, md5=228dd0c2e6287547e26ffbd973a40f14

Top indicator values (339 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4688
9312
EventIDeq
1
8232
EventIDeq
4104
8268
OriginalFileNameeq
wmic.exe
961
process_nameeq
wmic.exe
944
process_nameeq
cmd.exe
575
process_nameeq
hostname.exe
57
process_nameeq
netsh.exe
518
process_nameeq
systeminfo.exe
57
process_nameeq
arp.exe
48
process_nameeq
dsget.exe
47
process_nameeq
dsquery.exe
412
process_nameeq
gpresult.exe
47
process_nameeq
ipconfig.exe
48
process_nameeq
nbtstat.exe
47
process_nameeq
net.exe
420
process_nameeq
netstat.exe
47
process_nameeq
nltest.exe
410
process_nameeq
ping.exe
49
process_nameeq
qprocess.exe
47
process_nameeq
quser.exe
48
process_nameeq
qwinsta.exe
48
process_nameeq
reg.exe
420
process_nameeq
sc.exe
427
process_nameeq
tasklist.exe
49
process_nameeq
tracert.exe
46
process_nameeq
whoami.exe
411
event.typeeq
start
7241
Imageends_with
\wmic.exe
461
dc_processgt
3
44

Exclusions (42 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinematch
(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c
2
usermatch
\$$
2
CommandLinecontains
\\.\pipe\chrome.nativemessaging
1
CommandLinecontains
c:\program files (x86)\internet download manager\idmmsghost.exe
1
CommandLinecontains
chrome-extension://
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
ParentCommandLinecontains
\vmware\vmware tools\servicediscovery\scripts\
1
ParentImagecontains
gc_service.exe
1
ParentImagecontains
gc_worker.exe
1
ParentImagestarts_with
?:\program files (x86)\
1
ParentImagestarts_with
?:\program files\
1
ParentImagestarts_with
?:\programdata\
1
ParentImagewildcard
?:\program files (x86)\*
1
ParentImagewildcard
?:\program files\*
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 18 rules

Elastic 7 rules

Splunk 35 rules

Kusto 2 rules

YARA-L 2 rules