action: global
title: System Information Discovery
status: stable
description: Detects system information discovery commands
author: Ömer Günal, oscd.community
date: 2020/10/08
modified: 2020/05/30
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
falsepositives:
    - Legitimate administration activities
level: informational
tags:
    - attack.discovery
    - attack.t1082
---
id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
          - '/uname'
          - '/hostname'
          - '/uptime'
          - '/lspci'
          - '/dmidecode'
          - '/lscpu'
          - '/lsmod'
    condition: selection
---
id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
logsource:
    product: linux
    service: auditd
detection:
    selection:
      type: 'PATH'
      name:
          - '/sys/class/dmi/id/bios_version'
          - '/sys/class/dmi/id/product_name'
          - '/sys/class/dmi/id/chassis_vendor'
          - '/proc/scsi/scsi'
          - '/proc/ide/hd0/model'
          - '/proc/version'
          - '/etc/*version'
          - '/etc/*release'
          - '/etc/issue'
    condition: selection