Detectionlowexperimental
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Definition
Required auditd configuration: -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
Detection Logic
Detection Logic2 selectors
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'sysinfo'
filter_optional_splunk:
exe|endswith: '/bin/splunkd'
condition: selection and not 1 of filter_optional_*False Positives
Legitimate administrative activity
MITRE ATT&CK
Rule Metadata
Rule ID
b207d563-a1d9-4275-b349-77d1eb55aa6d
Status
experimental
Level
low
Type
Detection
Created
Fri May 30
Modified
Fri Dec 05
Author
Path
rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml
Raw Tags
attack.discoveryattack.t1057attack.t1082