Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
status testauthor Florian Roth (Nextron Systems), Nasreddine Bencherchaliid fca949cc-79ca-446e-8064-01aa7e52ece5
view Sigma YAML
title: HackTool - PCHunter Execution
id: fca949cc-79ca-446e-8064-01aa7e52ece5
status: test
description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
references:
- https://web.archive.org/web/20231210115125/http://www.xuetr.com/
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-10-10
modified: 2024-11-23
tags:
- attack.execution
- attack.discovery
- attack.t1082
- attack.t1057
- attack.t1012
- attack.t1083
- attack.t1007
logsource:
category: process_creation
product: windows
detection:
selection_image:
Image|endswith:
- '\PCHunter64.exe'
- '\PCHunter32.exe'
selection_pe:
- OriginalFileName: 'PCHunter.exe'
- Description: 'Epoolsoft Windows Information View Tools'
selection_hashes:
Hashes|contains:
- 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
- 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
- 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
- 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
- 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
- 'MD5=228DD0C2E6287547E26FFBD973A40F14'
- 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
- 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
high
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status testauthor Swachchhanda Shrawan Poudelid d557dc06-62e8-4468-a8e8-7984124908ce
view Sigma YAML
title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
- id: 851fd622-b675-4d26-b803-14bc7baa517a
type: similar
status: test
description: |
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
- attack.credential-access
- attack.discovery
- attack.execution
- attack.privilege-escalation
- attack.t1046
- attack.t1082
- attack.t1106
- attack.t1518
- attack.t1548.002
- attack.t1552.001
- attack.t1555
- attack.t1555.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Offline_Winpwn'
- 'WinPwn '
- 'WinPwn.exe'
- 'WinPwn.ps1'
condition: selection
falsepositives:
- Unknown
level: high
high
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status testauthor Swachchhanda Shrawan Poudelid 851fd622-b675-4d26-b803-14bc7baa517a
view Sigma YAML
title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
- id: d557dc06-62e8-4468-a8e8-7984124908ce
type: similar
status: test
description: |
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
- attack.credential-access
- attack.discovery
- attack.execution
- attack.privilege-escalation
- attack.t1046
- attack.t1082
- attack.t1106
- attack.t1518
- attack.t1548.002
- attack.t1552.001
- attack.t1555
- attack.t1555.003
logsource:
category: ps_script
product: windows
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Offline_Winpwn'
- 'WinPwn '
- 'WinPwn.exe'
- 'WinPwn.ps1'
condition: selection
falsepositives:
- As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high
high
HackTool - winPEAS Execution
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
status testauthor Georg Lauenstein (sure[secure])id 98b53e78-ebaf-46f8-be06-421aafd176d9
view Sigma YAML
title: HackTool - winPEAS Execution
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
status: test
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
references:
- https://github.com/carlospolop/PEASS-ng
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
author: Georg Lauenstein (sure[secure])
date: 2022-09-19
modified: 2023-03-23
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1082
- attack.t1087
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'winPEAS.exe'
- Image|endswith:
- '\winPEASany_ofs.exe'
- '\winPEASany.exe'
- '\winPEASx64_ofs.exe'
- '\winPEASx64.exe'
- '\winPEASx86_ofs.exe'
- '\winPEASx86.exe'
selection_cli_option:
CommandLine|contains:
- ' applicationsinfo' # Search installed applications information
- ' browserinfo' # Search browser information
- ' eventsinfo' # Display interesting events information
- ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
- ' filesinfo' # Search generic files that can contains credentials
- ' processinfo' # Search processes information
- ' servicesinfo' # Search services information
- ' windowscreds' # Search windows credentials
selection_cli_dl:
CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
selection_cli_specific:
- ParentCommandLine|endswith: ' -linpeas'
- CommandLine|endswith: ' -linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
high
Network Reconnaissance Activity
Detects a set of suspicious network related commands often used in recon stages
status testauthor Florian Roth (Nextron Systems)id e6313acd-208c-44fc-a0ff-db85d572e90e
view Sigma YAML
title: Network Reconnaissance Activity
id: e6313acd-208c-44fc-a0ff-db85d572e90e
status: test
description: Detects a set of suspicious network related commands often used in recon stages
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
author: Florian Roth (Nextron Systems)
date: 2022-02-07
tags:
- attack.discovery
- attack.t1087
- attack.t1082
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'nslookup'
- '_ldap._tcp.dc._msdcs.'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
high
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid e34cfa0c-0a50-4210-9cb3-5632d08eb041
view Sigma YAML
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
status testauthor Florian Roth (Nextron Systems)id 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
view Sigma YAML
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
- attack.discovery
- attack.t1082
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
medium
Bitbucket User Details Export Attempt Detected
Detects user data export activity.
status testauthor Muhammad Faisal (@faisalusuf)id 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
view Sigma YAML
title: Bitbucket User Details Export Attempt Detected
id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
status: test
description: Detects user data export activity.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.reconnaissance
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User permissions export failed'
- 'User permissions export started'
- 'User permissions exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
medium
Bitbucket User Permissions Export Attempt
Detects user permission data export attempt.
status testauthor Muhammad Faisal (@faisalusuf)id 87cc6698-3e07-4ba2-9b43-a85a73e151e2
view Sigma YAML
title: Bitbucket User Permissions Export Attempt
id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
status: test
description: Detects user permission data export attempt.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.reconnaissance
- attack.collection
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User details export failed'
- 'User details export started'
- 'User details exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
medium
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
status testauthor Florian Roth (Nextron Systems)id 5722dff1-4bdd-4949-86ab-fbaf707e767a
view Sigma YAML
title: PUA - System Informer Execution
id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
related:
- id: 811e0002-b13b-4a15-9d00-a613fce66e42
type: similar
status: test
description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
references:
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SystemInformer.exe'
- OriginalFileName: 'SystemInformer.exe'
- Description: 'System Informer'
- Product: 'System Informer'
- Hashes|contains:
# Note: add other hashes as needed
# 3.0.11077.6550
- 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
- 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
medium
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
status testauthor Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)id e568650b-5dcd-4658-8f34-ded0b1e13992
view Sigma YAML
title: Potential Product Class Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: test
description: |
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
references:
- https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-02-14
modified: 2025-03-17
tags:
- attack.execution
- attack.t1047
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
# Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
CommandLine|contains:
- 'AntiVirusProduct'
- 'AntiSpywareProduct'
- 'FirewallProduct'
condition: all of selection_*
falsepositives:
- Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
level: medium
medium
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
status testauthor Janantha Marasingheid c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
view Sigma YAML
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
medium
System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
status testauthor Stephen Lincoln '@slincoln-aiq' (AttackIQ)id c79da740-5030-45ec-a2e0-479e824a562c
view Sigma YAML
title: System Disk And Volume Reconnaissance Via Wmic.EXE
id: c79da740-5030-45ec-a2e0-479e824a562c
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: similar
status: test
description: |
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
date: 2024-02-02
modified: 2025-10-20
tags:
- attack.execution
- attack.discovery
- attack.t1047
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
- CommandLine|contains:
- ' volumename'
- ' logicaldisk'
- CommandLine|contains|all:
- 'path'
- 'win32_logicaldisk'
- CommandLine|contains|all:
- ' volume'
- ' list '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
view Sigma YAML
title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# Examples:
# /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
# /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
# /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
# ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
selection_img:
- Image|endswith: '/ioreg'
- CommandLine|contains: 'ioreg'
selection_cmd1:
CommandLine|contains:
- '-l'
- '-c'
selection_cmd2:
CommandLine|contains:
- 'AppleAHCIDiskDriver'
- 'IOPlatformExpertDevice'
- 'Oracle'
- 'Parallels'
- 'USB Vendor Name'
- 'VirtualBox'
- 'VMware'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
medium
System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
status testauthor Stephen Lincoln `@slincoln_aiq` (AttackIQ)id 4809c683-059b-4935-879d-36835986f8cf
view Sigma YAML
title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
- https://ss64.com/mac/system_profiler.html
- https://objective-see.org/blog/blog_0x62.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1497.001
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/system_profiler'
- CommandLine|contains: 'system_profiler'
selection_cmd:
# Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
CommandLine|contains:
- 'SPApplicationsDataType'
- 'SPHardwareDataType'
- 'SPNetworkDataType'
- 'SPUSBDataType'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
medium
System Information Discovery Using sw_vers
Detects the use of "sw_vers" for system information discovery
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid 5de06a6f-673a-4fc0-8d48-bcfe3837b033
view Sigma YAML
title: System Information Discovery Using sw_vers
id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
status: test
description: Detects the use of "sw_vers" for system information discovery
references:
- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
- https://ss64.com/osx/sw_vers.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
selection_image:
Image|endswith: '/sw_vers'
selection_options:
CommandLine|contains:
- '-buildVersion'
- '-productName'
- '-productVersion'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
medium
System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
status testauthor Pratinav Chandraid 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
view Sigma YAML
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
references:
- https://www.loobins.io/binaries/sysctl/#
- https://evasions.checkpoint.com/techniques/macos.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://objective-see.org/blog/blog_0x1E.html
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
- attack.stealth
- attack.t1497.001
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/sysctl'
- CommandLine|contains: 'sysctl'
selection_cmd:
CommandLine|contains:
- 'hw.'
- 'kern.'
- 'machdep.'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
medium
Uncommon System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
status testauthor TropChaudid 9d5a1274-922a-49d0-87f3-8c653483b909
view Sigma YAML
title: Uncommon System Information Discovery Via Wmic.EXE
id: 9d5a1274-922a-49d0-87f3-8c653483b909
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: derived
status: test
description: |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
- https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
- https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
- https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
- https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
author: TropChaud
date: 2023-01-26
modified: 2023-12-19
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_wmic:
- Description: 'WMI Commandline Utility'
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_commands:
CommandLine|contains:
- 'LOGICALDISK get Name,Size,FreeSpace'
- 'os get Caption,OSArchitecture,Version'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
low
Cisco Discovery
Find information about network devices that is not stored in config files
status testauthor Austin Clarkid 9705a6a1-6db6-4a16-a987-15b7151e299b
view Sigma YAML
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
- https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'dir'
- 'show arp'
- 'show cdp'
- 'show clock'
- 'show ip interface'
- 'show ip route'
- 'show ip sockets'
- 'show processes'
- 'show ssh'
- 'show users'
- 'show version'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low
low
Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
status testauthor Seth Hanfordid 746c86fb-ccda-4816-8997-01386263acc4
view Sigma YAML
title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection_tools:
Image|endswith:
- 'awk'
- '/cat'
- 'grep'
- '/head'
- '/less'
- '/more'
- '/nl'
- '/tail'
selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd
CommandLine|contains: '/proc/2/'
selection_procfs_target:
CommandLine|contains: '/proc/'
CommandLine|endswith:
- '/cgroup' # cgroups end in ':/' outside containers
- '/sched' # PID mismatch when run in containers
condition: selection_tools and 1 of selection_procfs_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
low
Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
status testauthor Seth Hanfordid 11701de9-d5a5-44aa-8238-84252f131895
view Sigma YAML
title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# Note: add additional tools and utilities to increase coverage
- '/cat'
- '/dir'
- '/find'
- '/ls'
- '/stat'
- '/test'
- 'grep'
CommandLine|endswith: '.dockerenv'
condition: selection
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
low
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid d27ab432-2199-483f-a297-03633c05bae6
view Sigma YAML
title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection_process:
Image|endswith: '/grep'
selection_architecture:
CommandLine|endswith:
- 'aarch64'
- 'arm'
- 'i386'
- 'i686'
- 'mips'
- 'x86_64'
condition: all of selection_*
falsepositives:
- Unknown
level: low
low
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
status testauthor Seth Hanfordid 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
view Sigma YAML
title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
category: process_creation
product: linux
detection:
selection_ls_img:
Image|endswith: '/ls' # inode outside containers low, inside high
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_regex_inode:
CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)' # -i finds inode number
selection_regex_dir:
CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)' # -d gets directory itself, not contents
condition: all of selection_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
low
Suspicious Execution of Hostname
Use of hostname to get information
status testauthor frack113id 7be5fb68-f9ef-476d-8b51-0256ebece19e
view Sigma YAML
title: Suspicious Execution of Hostname
id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
status: test
description: Use of hostname to get information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
author: frack113
date: 2022-01-01
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\HOSTNAME.EXE'
condition: selection
falsepositives:
- Unknown
level: low
low
Suspicious Execution of Systeminfo
Detects usage of the "systeminfo" command to retrieve information
status testauthor frack113id 0ef56343-059e-4cb6-adc1-4c3c967c5e46
view Sigma YAML
title: Suspicious Execution of Systeminfo
id: 0ef56343-059e-4cb6-adc1-4c3c967c5e46
status: test
description: Detects usage of the "systeminfo" command to retrieve information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
author: frack113
date: 2022-01-01
modified: 2022-07-14
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\systeminfo.exe'
- OriginalFileName: 'sysinfo.exe'
condition: selection
falsepositives:
- Unknown
level: low
low
Suspicious Query of MachineGUID
Use of reg to get MachineGuid information
status testauthor frack113id f5240972-3938-4e56-8e4b-e33893176c1f
view Sigma YAML
title: Suspicious Query of MachineGUID
id: f5240972-3938-4e56-8e4b-e33893176c1f
status: test
description: Use of reg to get MachineGuid information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
author: frack113
date: 2022-01-01
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'SOFTWARE\Microsoft\Cryptography'
- '/v '
- 'MachineGuid'
condition: selection
falsepositives:
- Unknown
level: low
low
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
status experimentalauthor Milad Cheraghiid b207d563-a1d9-4275-b349-77d1eb55aa6d
view Sigma YAML
title: System Info Discovery via Sysinfo Syscall
id: b207d563-a1d9-4275-b349-77d1eb55aa6d
status: experimental
description: |
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
author: Milad Cheraghi
date: 2025-05-30
modified: 2025-12-05
tags:
- attack.discovery
- attack.t1057
- attack.t1082
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
-a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'sysinfo'
filter_optional_splunk:
exe|endswith: '/bin/splunkd'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate administrative activity
level: low
low
System Information Discovery - Auditd
Detects System Information Discovery commands
status testauthor Pawel Mazurid f34047d9-20d3-4e8b-8672-0a35cc50dc71