Sigma rules for Systeminfo
2 rules · scoped to tool · back to Systeminfo
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high
title: Suspicious Execution of Systeminfo
id: 0ef56343-059e-4cb6-adc1-4c3c967c5e46
status: test
description: Detects usage of the "systeminfo" command to retrieve information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
author: frack113
date: 2022-01-01
modified: 2022-07-14
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\systeminfo.exe'
- OriginalFileName: 'sysinfo.exe'
condition: selection
falsepositives:
- Unknown
level: low