Skip to content
Threat Feed
medium advisory

System Information Discovery Detection

This detection identifies system information discovery techniques by monitoring process execution logs for commands like `wmic qfe`, `systeminfo`, and `hostname`, often used by attackers to gather system configuration details for further exploitation, potentially leading to privilege escalation, persistence, or data exfiltration.

This detection focuses on identifying system information discovery techniques commonly employed by attackers to gather details about the target environment. Specifically, it monitors for the execution of commands such as wmic qfe, systeminfo, and hostname. These commands are frequently used in post-exploitation phases to enumerate system configurations and identify potential vulnerabilities. The detection leverages data from Endpoint Detection and Response (EDR) agents, making use of process execution logs to identify suspicious activity. The activity is significant because successful discovery of system information can allow attackers to tailor their attacks, leading to privilege escalation, persistence, or data exfiltration. The detection helps in identifying potential malicious activity early in the attack chain.

Attack Chain

  1. Initial Access: An attacker gains initial access to the system via an exploit or compromised credentials.
  2. Reconnaissance: The attacker executes commands like systeminfo to gather information about the operating system version, patch level, and hardware configuration.
  3. Discovery: The attacker uses wmic qfe to enumerate installed software updates and identify potential vulnerabilities that could be exploited.
  4. Enumeration: The attacker executes hostname to determine the system's hostname for network reconnaissance and lateral movement planning.
  5. Privilege Escalation: Based on the gathered system information, the attacker identifies and exploits a vulnerability to escalate privileges.
  6. Lateral Movement: Using the system information, the attacker moves laterally to other systems within the network, potentially targeting critical assets.
  7. Persistence: The attacker establishes persistence by creating a scheduled task or modifying registry keys to maintain access to the compromised system.

Impact

Successful exploitation of system information discovery can lead to significant consequences. Attackers can use the gathered data to tailor their attacks, escalate privileges, and move laterally within the network. This can result in data breaches, system compromise, and financial losses. The impact can range from minor disruptions to complete system takeover, depending on the attacker's objectives and the effectiveness of the defense mechanisms in place. The targeted sectors can vary, but organizations with sensitive data or critical infrastructure are at higher risk.

Recommendation

  • Deploy the Sigma rule System Information Discovery via Command Line to your SIEM to detect the execution of system information discovery commands (e.g., wmic qfe, systeminfo, hostname) based on process execution logs.
  • Enable Sysmon process-creation logging to capture detailed information about process execution, including command-line arguments, to activate the rules effectively.
  • Investigate any alerts generated by the Sigma rules and correlate them with other security events to identify potential malicious activity.
  • Ensure that your EDR solution is properly configured to capture and analyze process execution logs.

Detection coverage 2

System Information Discovery via Command Line

medium

Detects system information discovery commands executed via the command line.

sigma tactics: discovery techniques: T1082 sources: process_creation, windows

System Information Discovery via PowerShell

medium

Detects system information discovery commands executed via PowerShell.

sigma tactics: discovery techniques: T1082 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →