Detection of System Information Discovery Techniques
This brief covers the detection of adversaries using native Windows commands like `wmic qfe`, `systeminfo`, and `hostname` to gather system information for further exploitation.
This detection focuses on identifying the use of system information discovery techniques by adversaries on Windows systems. Attackers commonly use commands such as wmic qfe, systeminfo, and hostname to enumerate system details like installed software, hardware configuration, and network information. This reconnaissance activity allows them to tailor subsequent attacks, identify vulnerabilities, and potentially escalate privileges or move laterally within the network. The detection leverages Endpoint Detection and Response (EDR) data, specifically process execution logs, to identify suspicious usage patterns of these commands. Monitoring for these activities can help defenders identify early stages of an attack and prevent further compromise. This analytic was last updated in March 2026.
Attack Chain
- Initial Access: The attacker gains initial access to the system via unspecified means.
- Command Execution: The attacker executes
wmic qfeto gather a list of installed Quick Fix Engineering (QFE) updates, revealing patch levels. - System Enumeration: The attacker executes
systeminfoto collect detailed system configuration information, including OS version, installed hotfixes, and hardware details. - Hostname Discovery: The attacker executes
hostnameto identify the system's hostname, aiding in network mapping. - Data Aggregation: The attacker aggregates the collected system information to identify potential vulnerabilities or misconfigurations.
- Privilege Escalation: Based on the gathered information, the attacker attempts to exploit identified vulnerabilities to escalate privileges.
- Lateral Movement: The attacker uses the gathered information to identify other vulnerable systems within the network and move laterally.
- Objective Completion: The attacker achieves their final objective, such as data exfiltration, deploying ransomware, or establishing persistence.
Impact
Successful exploitation following system information discovery can lead to significant damage. Attackers can use the gathered information to escalate privileges, move laterally to other systems, and ultimately exfiltrate sensitive data, deploy ransomware, or establish long-term persistence. Identifying these techniques early is critical to prevent significant compromise.
Recommendation
- Deploy the Sigma rule "Detect System Information Discovery" to your SIEM, focusing on
process_creationlogs from Windows systems (Sysmon EventID 1, Windows Event Log Security 4688, CrowdStrike ProcessRollup2). - Tune the Sigma rule by filtering out known-good processes or administrative accounts that legitimately use these commands for system maintenance.
- Enable command-line logging for process creation events via Sysmon or Windows Event Logging to ensure the detection has the necessary data to function effectively.
Detection coverage 1
Detect System Information Discovery
mediumDetects the execution of common system information discovery commands such as wmic qfe, systeminfo, and hostname.
Detection queries are available on the platform. Get full rules →