Techniques
Sample rules
System Information Discovery Detection
- source: splunk
- technicques:
- T1082
Description
The following analytic identifies system information discovery techniques, such as the execution of commands like wmic qfe, systeminfo, and hostname. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*wmic* qfe*" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name
| `drop_dm_object_name(Processes)`
| eventstats dc(process) as dc_processes_by_dest by dest
| where dc_processes_by_dest > 2
| stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `system_information_discovery_detection_filter`