Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioninformationalstable

System and Hardware Information Discovery

Detects system information discovery commands

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ömer Günal, oscd.communityCreated Thu Oct 08Updated Sat Nov 261f358e2e-cb63-43c3-b575-dfb072a6814flinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic1 selector
detection:
    selection:
        type: 'PATH'
        name:
            - '/sys/class/dmi/id/bios_version'
            - '/sys/class/dmi/id/product_name'
            - '/sys/class/dmi/id/chassis_vendor'
            - '/proc/scsi/scsi'
            - '/proc/ide/hd0/model'
            - '/proc/version'
            - '/etc/*version'
            - '/etc/*release'
            - '/etc/issue'
    condition: selection
False Positives

Legitimate administration activities

References
1
Resolving title…
github.com
MITRE ATT&CK
Related Rules
DerivedDetectioninformational

System Information Discovery

Detects system information discovery commands

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
1f358e2e-cb63-43c3-b575-dfb072a6814f
Status
stable
Level
informational
Type
Detection
Created
Thu Oct 08
Modified
Sat Nov 26
Author
Ömer Günal, oscd.community
Path
rules/linux/auditd/path/lnx_auditd_system_info_discovery2.yml
Raw Tags
attack.discoveryattack.t1082
View on GitHub