Sigma rules for Disco
92 rules · scoped to tool · back to Disco
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Third Party Software DLL Sideloading
id: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63
status: test
description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
# Lenovo
selection_lenovo:
ImageLoaded|endswith: '\commfunc.dll'
filter_lenovo:
- ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
- ImageLoaded|startswith:
- 'C:\Program Files\Lenovo\Communications Utility\'
- 'C:\Program Files (x86)\Lenovo\Communications Utility\'
# Toshiba
selection_toshiba:
ImageLoaded|endswith: '\tosbtkbd.dll'
filter_toshiba:
ImageLoaded|startswith:
- 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\'
- 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\'
# Zoom (FP with System32)
# selection_zoom:
# ImageLoaded|endswith: '\version.dll'
# filter_zoom:
# ImageLoaded|startswith: 'C:\Users\'
# ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\'
condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)
falsepositives:
- Unknown
level: medium
title: Windows Recall Feature Enabled - Registry
id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
related:
- id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
type: similar
- id: 817f252c-5143-4dae-b418-48c3e9f63728
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
TargetObject|endswith: '\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
title: Winlogon AllowMultipleTSSessions Enable
id: f7997770-92c3-4ec9-b112-774c4ef96f96
status: test
description: |
Detects when the 'AllowMultipleTSSessions' value is enabled.
Which allows for multiple Remote Desktop connection sessions to be opened at once.
This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
Details|endswith: DWORD (0x00000001)
condition: selection
falsepositives:
- Legitimate use of the multi session functionality
level: medium
title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
related:
- id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
type: similar
- id: 817f252c-5143-4dae-b418-48c3e9f63728
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_delete
product: windows
detection:
selection:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
EventType: DeleteValue
TargetObject|endswith: '\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
condition: selection
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
title: Macos Remote System Discovery
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
title: System Network Connections Discovery - MacOs
id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-12-28
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
condition: selection
falsepositives:
- Legitimate activities
level: informational
title: Local Groups Discovery - MacOs
id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
status: test
description: Detects enumeration of local system groups
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'group'
selection_2:
Image|endswith: '/cat'
CommandLine|contains: '/etc/group'
selection_3:
Image|endswith: '/dscl'
CommandLine|contains|all:
- '-list'
- '/groups'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
title: File and Directory Discovery - MacOS
id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
status: test
description: Detects usage of system utilities to discover files and directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-25
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
select_file_with_asterisk:
Image: '/usr/bin/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
select_recursive_ls:
Image: '/bin/ls'
CommandLine|contains: '-R'
select_find_execution:
Image: '/usr/bin/find'
select_mdfind_execution:
Image: '/usr/bin/mdfind'
select_tree_execution|endswith:
Image: '/tree'
condition: 1 of select*
falsepositives:
- Legitimate activities
level: informational
title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: Detects enumeration of local systeam accounts on MacOS
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscl'
CommandLine|contains|all:
- 'list'
- '/users'
selection_2:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'user'
selection_3:
CommandLine|contains: '''x:0:'''
selection_4:
Image|endswith: '/cat'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_5:
Image|endswith: '/id'
selection_6:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
title: System Network Discovery - macOS
id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: remotephone, oscd.community
date: 2020-10-06
modified: 2024-08-29
tags:
- attack.discovery
- attack.t1016
logsource:
product: macos
category: process_creation
detection:
selection_1:
Image|endswith:
- '/arp'
- '/ifconfig'
- '/netstat'
- '/networksetup'
- '/socketfilterfw'
selection_2:
Image: '/usr/bin/defaults'
CommandLine|contains|all:
- '/Library/Preferences/com.apple.alf'
- 'read'
filter_main_wifivelocityd:
ParentImage|endswith: '/wifivelocityd'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate administration activities
level: informational
title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection_process:
Image|endswith: '/grep'
selection_architecture:
CommandLine|endswith:
- 'aarch64'
- 'arm'
- 'i386'
- 'i686'
- 'mips'
- 'x86_64'
condition: all of selection_*
falsepositives:
- Unknown
level: low
title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
category: process_creation
product: linux
detection:
selection_ls_img:
Image|endswith: '/ls' # inode outside containers low, inside high
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_regex_inode:
CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)' # -i finds inode number
selection_regex_dir:
CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)' # -d gets directory itself, not contents
condition: all of selection_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# Note: add additional tools and utilities to increase coverage
- '/cat'
- '/dir'
- '/find'
- '/ls'
- '/stat'
- '/test'
- 'grep'
CommandLine|endswith: '.dockerenv'
condition: selection
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
title: Local Groups Discovery - Linux
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: test
description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/groups'
selection_2:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
CommandLine|contains: '/etc/group'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
title: Local System Accounts Discovery - Linux
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: test
description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
- https://my.f5.com/manage/s/article/K589
- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
author: Alejandro Ortuno, oscd.community, CheraghiMilad
date: 2020-10-08
modified: 2024-12-10
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/lastlog'
selection_2:
CommandLine|contains: '''x:0:'''
selection_3:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
- '/less'
- '/emacs'
- '/sqlite3'
- '/makemap'
CommandLine|contains:
- '/etc/passwd'
- '/etc/shadow'
- '/etc/sudoers'
- '/etc/spwd.db'
- '/etc/pwd.db'
- '/etc/master.passwd'
selection_4:
Image|endswith: '/id'
selection_5:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
title: Security Software Discovery - Linux
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: test
description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# You can add more grep variations such as fgrep, rgrep...etc
- '/grep'
- '/egrep'
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'cbagentd' # carbon black
- 'falcond' # crowdstrike falcon
condition: selection
falsepositives:
- Legitimate activities
level: low
title: File and Directory Discovery - Linux
id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
status: test
description: |
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
date: 2020-10-19
modified: 2024-12-01
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_file_with_asterisk:
Image|endswith: '/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
selection_recursive_ls:
Image|endswith: '/ls'
CommandLine|contains: '-R'
selection_find_execution:
Image|endswith: '/find'
selection_tree_execution:
Image|endswith: '/tree'
selection_findmnt_execution:
Image|endswith: '/findmnt'
selection_locate_execution:
Image|endswith: '/mlocate'
condition: 1 of selection_*
falsepositives:
- Legitimate activities
level: informational
title: System Information Discovery
id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
status: stable
description: Detects system information discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
author: Ömer Günal, oscd.community
date: 2020-10-08
modified: 2021-09-14
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/uname'
- '/hostname'
- '/uptime'
- '/lspci'
- '/dmidecode'
- '/lscpu'
- '/lsmod'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection_tools:
Image|endswith:
- 'awk'
- '/cat'
- 'grep'
- '/head'
- '/less'
- '/more'
- '/nl'
- '/tail'
selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd
CommandLine|contains: '/proc/2/'
selection_procfs_target:
CommandLine|contains: '/proc/'
CommandLine|endswith:
- '/cgroup' # cgroups end in ':/' outside containers
- '/sched' # PID mismatch when run in containers
condition: selection_tools and 1 of selection_procfs_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: Ömer Günal and remotephone, oscd.community
date: 2020-10-06
modified: 2022-09-15
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/firewall-cmd'
- '/ufw'
- '/iptables'
- '/netstat'
- '/ss'
- '/ip'
- '/ifconfig'
- '/systemd-resolve'
- '/route'
selection_cli:
CommandLine|contains: '/etc/resolv.conf'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: informational
title: System Network Connections Discovery - Linux
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2023-01-17
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
filter_landscape_sysinfo:
ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
Image|endswith: '/who'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate activities
level: low
title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
- https://github.com/carlospolop/PEASS-ng
- https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/getcap'
CommandLine|contains: ' -r '
condition: selection
falsepositives:
- Unknown
level: low
title: Password Policy Discovery - Linux
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
- https://linux.die.net/man/1/chage
- https://man7.org/linux/man-pages/man1/passwd.1.html
- https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020-10-08
modified: 2024-12-01
tags:
- attack.discovery
- attack.t1201
logsource:
product: linux
service: auditd
detection:
selection_files:
type: 'PATH'
name:
- '/etc/login.defs'
- '/etc/pam.d/auth'
- '/etc/pam.d/common-account'
- '/etc/pam.d/common-auth'
- '/etc/pam.d/common-password'
- '/etc/pam.d/system-auth'
- '/etc/security/pwquality.conf'
selection_chage:
type: 'EXECVE'
a0: 'chage'
a1:
- '--list'
- '-l'
selection_passwd:
type: 'EXECVE'
a0: 'passwd'
a1:
- '-S'
- '--status'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
title: System Information Discovery - Auditd
id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
status: test
description: Detects System Information Discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
author: Pawel Mazur
date: 2021-09-03
modified: 2023-03-06
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
service: auditd
detection:
selection_1:
type: PATH
name:
- /etc/lsb-release
- /etc/redhat-release
- /etc/issue
selection_2:
type: EXECVE
a0:
- uname
- uptime
- lsmod
- hostname
- env
selection_3:
type: EXECVE
a0: grep
a1|contains:
- vbox
- vm
- xen
- virtio
- hv
selection_4:
type: EXECVE
a0: kmod
a1: list
condition: 1 of selection_*
falsepositives:
- Likely
level: low
title: System and Hardware Information Discovery
id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
related:
- id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
type: derived
status: stable
description: Detects system information discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware
author: Ömer Günal, oscd.community
date: 2020-10-08
modified: 2022-11-26
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/sys/class/dmi/id/bios_version'
- '/sys/class/dmi/id/product_name'
- '/sys/class/dmi/id/chassis_vendor'
- '/proc/scsi/scsi'
- '/proc/ide/hd0/model'
- '/proc/version'
- '/etc/*version'
- '/etc/*release'
- '/etc/issue'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
title: System Info Discovery via Sysinfo Syscall
id: b207d563-a1d9-4275-b349-77d1eb55aa6d
status: experimental
description: |
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
author: Milad Cheraghi
date: 2025-05-30
modified: 2025-12-05
tags:
- attack.discovery
- attack.t1057
- attack.t1082
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
-a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'sysinfo'
filter_optional_splunk:
exe|endswith: '/bin/splunkd'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate administrative activity
level: low
title: System Owner or User Discovery - Linux
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: test
description: |
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1033
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0:
- 'hostname'
- 'id'
- 'last'
- 'uname'
- 'users'
- 'w'
- 'who'
- 'whoami'
condition: selection
falsepositives:
- Admin activity
level: low
title: Linux Capabilities Discovery
id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
status: test
description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
references:
- https://man7.org/linux/man-pages/man8/getcap.8.html
- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
- https://mn3m.info/posts/suid-vs-capabilities/
- https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
author: 'Pawel Mazur'
date: 2021-11-28
modified: 2022-12-25
tags:
- attack.discovery
- attack.privilege-escalation
- attack.t1083
- attack.t1548
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: getcap
a1: '-r'
a2: '/'
condition: selection
falsepositives:
- Unknown
level: low
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
- https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'dir'
- 'show arp'
- 'show cdp'
- 'show clock'
- 'show ip interface'
- 'show ip route'
- 'show ip sockets'
- 'show processes'
- 'show ssh'
- 'show users'
- 'show version'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low
title: Suspicious GPO Discovery With Get-GPO
id: eb2fd349-ec67-4caa-9143-d79c7fb34441
status: test
description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
author: frack113
date: 2022-06-04
tags:
- attack.discovery
- attack.t1615
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: Get-GPO
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: low
title: Suspicious Process Discovery With Get-Process
id: af4c87ce-bdda-4215-b998-15220772e993
status: test
description: Get the processes that are running on the local computer.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1057
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: Get-Process
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: low
title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82
status: test
description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1201
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: low
title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
- https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
- attack.discovery
- attack.t1482
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|startswith: '_ldap.'
filter_main_generic:
Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\'
filter_main_defender:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_unknown:
Image: '<unknown process>'
filter_optional_azure:
Image|startswith: 'C:\WindowsAzure\GuestAgent'
filter_main_null:
Image: null
filter_optional_browsers:
# Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\opera.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
# Note: Incrase the level once a baseline is established
level: low
title: Discovery of a System Time
id: b243b280-65fe-48df-ba07-6ddea7646427
status: test
description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-06-28
tags:
- attack.discovery
- attack.t1124
logsource:
category: process_creation
product: windows
detection:
selection_time:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'time'
selection_w32tm:
Image|endswith: '\w32tm.exe'
CommandLine|contains: 'tz'
condition: 1 of selection_*
falsepositives:
- Legitimate use of the system utilities to discover system time for legitimate reason
level: low
title: System Network Connections Discovery Via Net.EXE
id: 1c67a717-32ba-409b-a45d-0fb704a73a81
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
author: frack113
date: 2021-12-10
modified: 2023-02-21
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
- CommandLine|endswith:
- ' use'
- ' sessions'
- CommandLine|contains:
- ' use '
- ' sessions '
condition: all of selection_*
falsepositives:
- Unknown
level: low
title: Firewall Configuration Discovery Via Netsh.EXE
id: 0e4164da-94bc-450d-a7be-a4b176179f1f
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
- https://ss64.com/nt/netsh.html
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-18
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'netsh'
- 'show '
- 'firewall '
CommandLine|contains:
- 'config '
- 'state '
- 'rule '
- 'name=all'
condition: all of selection_*
falsepositives:
- Administrative activity
level: low
title: Suspicious Network Command
id: a29c1813-ab1f-4dde-b489-330b952e91ae
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-19
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|re:
- 'ipconfig\s+/all'
- 'netsh\s+interface show interface'
- 'arp\s+-a'
- 'nbtstat\s+-n'
- 'net\s+config'
- 'route\s+print'
condition: selection
falsepositives:
- Administrator, hotline ask to user
level: low
title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
- id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
type: similar
- id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author: Arun Chauhan
date: 2023-02-03
tags:
- attack.discovery
- attack.t1016
- attack.t1018
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
condition: selection
falsepositives:
- Legitimate administration activity
level: low
title: Notepad Password Files Discovery
id: 3b4e950b-a3ea-44d3-877e-432071990709
status: experimental
description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
references:
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
- https://intel.thedfirreport.com/eventReports/view/57 # Private Report
author: 'The DFIR Report'
tags:
- attack.discovery
- attack.t1083
date: 2025-02-21
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith: '\notepad.exe'
CommandLine|endswith:
# Note: Commandline to contain a file with the string password and a specific extension
- 'password*.txt'
- 'password*.csv'
- 'password*.doc'
- 'password*.xls'
condition: selection
falsepositives:
- Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
level: low
title: Local Accounts Discovery
id: 502b42de-4306-40b4-9596-6f590c81f073
status: test
related:
- id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution
type: obsolete
description: Local accounts, System Owner/User discovery using operating systems utilities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2025-10-20
tags:
- attack.discovery
- attack.t1033
- attack.t1087.001
logsource:
category: process_creation
product: windows
detection:
selection_other_img:
- Image|endswith:
- '\whoami.exe'
- '\quser.exe'
- '\qwinsta.exe'
- OriginalFileName:
- 'whoami.exe'
- 'quser.exe'
- 'qwinsta.exe'
selection_other_wmi:
Image|endswith: '\wmic.exe'
CommandLine|contains|all:
- 'useraccount'
- 'get'
selection_other_cmdkey:
Image|endswith: '\cmdkey.exe'
CommandLine|contains: ' /l'
selection_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- ' /c'
- 'dir '
- '\Users\'
filter_cmd:
CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
selection_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'user'
filter_net:
CommandLine|contains:
- '/domain' # local account discovery only
- '/add' # discovery only
- '/delete' # discovery only
- '/active' # discovery only
- '/expires' # discovery only
- '/passwordreq' # discovery only
- '/scriptpath' # discovery only
- '/times' # discovery only
- '/workstations' # discovery only
condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
falsepositives:
- Legitimate administrator or user enumerates local users for legitimate reason
level: low
title: System Information Discovery via Registry Queries
id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
status: experimental
description: Detects attempts to query system information directly from the Windows Registry.
references:
- https://cert.gov.ua/article/6277849
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
author: lazarg
date: 2025-06-12
modified: 2025-10-25
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_cmd_reg:
Image|endswith: '\reg.exe'
CommandLine|contains: 'query'
CommandLine|contains|windash: '-v'
selection_cmd_powershell:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Get-ItemPropertyValue'
- 'gpv'
selection_keys:
CommandLine|contains:
- '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
- '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
- '\SYSTEM\CurrentControlSet\Services' # Details about existing services
condition: 1 of selection_cmd_* and selection_keys
falsepositives:
- Unlikely
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml
simulation:
- type: atomic-red-team
name: System Information Discovery
technique: T1010
atomic_guid: 66703791-c902-4560-8770-42b8a91f7667
- type: atomic-red-team
name: Discover OS Product Name via Registry
technique: T1082
atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
- type: atomic-red-team
name: Discover OS Build Number via Registry
technique: T1082
atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec