{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/system-discovery/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["system-discovery","windows","post-exploitation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying the use of system information discovery techniques by adversaries on Windows systems. Attackers commonly use commands such as \u003ccode\u003ewmic qfe\u003c/code\u003e, \u003ccode\u003esysteminfo\u003c/code\u003e, and \u003ccode\u003ehostname\u003c/code\u003e to enumerate system details like installed software, hardware configuration, and network information. This reconnaissance activity allows them to tailor subsequent attacks, identify vulnerabilities, and potentially escalate privileges or move laterally within the network. The detection leverages Endpoint Detection and Response (EDR) data, specifically process execution logs, to identify suspicious usage patterns of these commands. Monitoring for these activities can help defenders identify early stages of an attack and prevent further compromise. This analytic was last updated in March 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system via unspecified means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The attacker executes \u003ccode\u003ewmic qfe\u003c/code\u003e to gather a list of installed Quick Fix Engineering (QFE) updates, revealing patch levels.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Enumeration:\u003c/strong\u003e The attacker executes \u003ccode\u003esysteminfo\u003c/code\u003e to collect detailed system configuration information, including OS version, installed hotfixes, and hardware details.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHostname Discovery:\u003c/strong\u003e The attacker executes \u003ccode\u003ehostname\u003c/code\u003e to identify the system's hostname, aiding in network mapping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Aggregation:\u003c/strong\u003e The attacker aggregates the collected system information to identify potential vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Based on the gathered information, the attacker attempts to exploit identified vulnerabilities to escalate privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the gathered information to identify other vulnerable systems within the network and move laterally.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e The attacker achieves their final objective, such as data exfiltration, deploying ransomware, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation following system information discovery can lead to significant damage. Attackers can use the gathered information to escalate privileges, move laterally to other systems, and ultimately exfiltrate sensitive data, deploy ransomware, or establish long-term persistence. Identifying these techniques early is critical to prevent significant compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect System Information Discovery\u0026quot; to your SIEM, focusing on \u003ccode\u003eprocess_creation\u003c/code\u003e logs from Windows systems (Sysmon EventID 1, Windows Event Log Security 4688, CrowdStrike ProcessRollup2).\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule by filtering out known-good processes or administrative accounts that legitimately use these commands for system maintenance.\u003c/li\u003e\n\u003cli\u003eEnable command-line logging for process creation events via Sysmon or Windows Event Logging to ensure the detection has the necessary data to function effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-system-info-discovery/","summary":"This brief covers the detection of adversaries using native Windows commands like `wmic qfe`, `systeminfo`, and `hostname` to gather system information for further exploitation.","title":"Detection of System Information Discovery Techniques","url":"https://feed.craftedsignal.io/briefs/2024-01-02-system-info-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - System-Discovery","version":"https://jsonfeed.org/version/1.1"}