Deployable detection rules
1 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
1 shown of 1System Information Discovery via dmidecode from Parent Shell
This rule detects the use of dmidecode to gather system information from a Linux host when executed from a parent
shell process. Adversaries may use dmidecode to collect detailed hardware and system information, which can aid in
further exploitation or lateral movement within a network, or be used as a fingerprint for a compromised system.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
process.name == "dmidecode" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.parent.args == "-c" and not (
process.parent.command_line in (
"/bin/sh -c /usr/sbin/dmidecode | /bin/grep VMware", "sh -c dmidecode -s system-manufacturer"
) or
?process.working_directory in (
"/data/oem_agent/agent_inst/sysman/emd", "/opt/rapid7/ir_agent/components/insight_agent/common", "/opt/veeam/transport",
"/data/app/oracle/agent/agent_inst/sysman/emd", "/home/nessus", "/opt/commvault", "/opt/nessus_agent/var/nessus/mod/com.tenable.nessus_agent/data"
) or
process.parent.args like "printf*"
)
Showing 1-1 of 1