Techniques
Sample rules
System Information Discovery Detection
- source: splunk
- technicques:
- T1082
Description
Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*wmic* qfe*" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name
| `drop_dm_object_name(Processes)`
| eventstats dc(process) as dc_processes_by_dest by dest
| where dc_processes_by_dest > 2
| stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `system_information_discovery_detection_filter`