Which SIEM platforms have a T1082 detection rule?

df00tech provides T1082 (System Information Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Information Discovery (T1082)?

Detecting System Information Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1082 detection?

The T1082 detection is rated low severity with medium confidence.

What are common false positives for T1082?

Common false positives for T1082 include: IT operations scripts and monitoring agents (Zabbix, SolarWinds, SCCM inventory) that routinely collect system information; Software installers checking OS version compatibility before installing packages; Help desk and remote support tools that gather system information for troubleshooting tickets.

T1082

System Information Discovery

Discovery Last updated: April 13, 2026

Adversaries may attempt to gather detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Tools such as systeminfo, wmic, ver, and uname can be used to enumerate this data. Adversaries use this information to shape follow-on behaviors, including payload targeting, privilege escalation path selection, and evasion tuning. On ESXi, esxcli utilities expose system version and hostname. In cloud IaaS environments, authenticated API calls can return OS platform and instance metadata. This technique is frequently observed early in post-exploitation chains as part of host fingerprinting.

What is T1082 System Information Discovery?

System Information Discovery (T1082) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for System Information Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1082 System Information Discovery
Canonical reference: https://attack.mitre.org/techniques/T1082/

Microsoft Sentinel / Defender

kusto

let SysInfoTools = dynamic(["systeminfo.exe", "msinfo32.exe"]);
let WmicSysPatterns = dynamic(["os get", "computersystem get", "bios get", "cpu get", "memorychip get", "csproduct get"]);
let RegVersionPaths = dynamic(["CurrentVersion", "CurrentBuildNumber", "ProductName", "ReleaseId", "DisplayVersion"]);
let PSInfoPatterns = dynamic(["Get-ComputerInfo", "Get-WmiObject Win32_OperatingSystem", "Get-CimInstance Win32_OperatingSystem", "[System.Environment]::OSVersion", "$env:OS", "gwmi Win32_OS"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    FileName in~ (SysInfoTools)
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicSysPatterns))
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any (RegVersionPaths) and ProcessCommandLine has "query")
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSPatterns))
    or (FileName =~ "cmd.exe" and ProcessCommandLine has "ver")
)
| extend IsSystemInfo = FileName in~ (SysInfoTools)
| extend IsWmicOsEnum = FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicSysPatterns)
| extend IsRegQuery = FileName =~ "reg.exe" and ProcessCommandLine has_any (RegVersionPaths)
| extend IsPSEnum = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSInfoPatterns)
| extend SuspiciousParent = InitiatingProcessFileName in~ ("cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe", "services.exe")
| extend OfficeParent = InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "mspub.exe")
| where IsSystemInfo or IsWmicOsEnum or IsRegQuery or IsPSEnum
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum,
         SuspiciousParent, OfficeParent
| sort by Timestamp desc

Detects system information discovery commands using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors for systeminfo.exe, msinfo32.exe, wmic OS/hardware enumeration, registry queries for Windows version keys, and PowerShell cmdlets that retrieve OS/hardware details. Tags suspicious parent processes (LOLBins, Office apps) to help triage automated discovery versus post-exploitation reconnaissance.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT operations scripts and monitoring agents (Zabbix, SolarWinds, SCCM inventory) that routinely collect system information
Software installers checking OS version compatibility before installing packages
Help desk and remote support tools that gather system information for troubleshooting tickets
Vulnerability scanners and compliance auditing tools (Tenable, Qualys, CrowdStrike Spotlight) enumerating host details
Developer workstations where engineers query system info for build environment validation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval CommandLine_lower=lower(CommandLine)
| eval ParentImage_lower=lower(ParentImage)
| eval IsSystemInfo=if(match(Image_lower, "(systeminfo\.exe|msinfo32\.exe)"), 1, 0)
| eval IsWmicOsEnum=if(match(Image_lower, "wmic\.exe") AND match(CommandLine_lower, "(os\s+get|computersystem\s+get|bios\s+get|cpu\s+get|memorychip\s+get|csproduct\s+get)"), 1, 0)
| eval IsRegQuery=if(match(Image_lower, "reg\.exe") AND match(CommandLine_lower, "query") AND match(CommandLine_lower, "(currentversion|currentbuildnumber|productname|releaseid|displayversion)"), 1, 0)
| eval IsPSEnum=if((match(Image_lower, "(powershell\.exe|pwsh\.exe)")) AND match(CommandLine_lower, "(get-computerinfo|win32_operatingsystem|win32_bios|win32_computersystem|osversion|\$env:os)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage_lower, "(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)"), 1, 0)
| eval OfficeParent=if(match(ParentImage_lower, "(winword\.exe|excel\.exe|outlook\.exe|powerpnt\.exe)"), 1, 0)
| where IsSystemInfo=1 OR IsWmicOsEnum=1 OR IsRegQuery=1 OR IsPSEnum=1
| eval TotalScore=IsSystemInfo + IsWmicOsEnum + IsRegQuery + IsPSEnum + SuspiciousParent + OfficeParent
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum, SuspiciousParent, OfficeParent, TotalScore
| sort - _time

Detects system information discovery using Sysmon Event ID 1 (Process Creation). Identifies systeminfo.exe, msinfo32.exe, wmic OS/hardware queries, registry version key lookups, and PowerShell WMI-based OS enumeration. Scores each event across detection categories and parent process risk to help analysts quickly triage automated inventory from adversarial reconnaissance.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT operations scripts and monitoring agents (Zabbix, SolarWinds, SCCM inventory) that routinely collect system information
Software installers checking OS version compatibility before installing packages
Help desk and remote support tools that gather system information for troubleshooting tickets
Vulnerability scanners and compliance auditing tools (Tenable, Qualys) enumerating host details
Developer workstations where engineers query system info for build environment validation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process" AS parent_process,
  CASE WHEN LOWER("Process Name") IN ('systeminfo.exe','msinfo32.exe') THEN 1 ELSE 0 END AS is_sysinfo_tool,
  CASE WHEN LOWER("Process Name") = 'wmic.exe'
    AND (
      LOWER("Command") LIKE '% os get %'
      OR LOWER("Command") LIKE '% computersystem get %'
      OR LOWER("Command") LIKE '% bios get %'
      OR LOWER("Command") LIKE '% cpu get %'
      OR LOWER("Command") LIKE '% memorychip get %'
      OR LOWER("Command") LIKE '% csproduct get %'
    ) THEN 1 ELSE 0 END AS is_wmic_os_enum,
  CASE WHEN LOWER("Process Name") = 'reg.exe'
    AND LOWER("Command") LIKE '%query%'
    AND (
      LOWER("Command") LIKE '%currentversion%'
      OR LOWER("Command") LIKE '%currentbuildnumber%'
      OR LOWER("Command") LIKE '%productname%'
      OR LOWER("Command") LIKE '%releaseid%'
      OR LOWER("Command") LIKE '%displayversion%'
    ) THEN 1 ELSE 0 END AS is_reg_query,
  CASE WHEN LOWER("Process Name") IN ('powershell.exe','pwsh.exe')
    AND (
      LOWER("Command") LIKE '%get-computerinfo%'
      OR LOWER("Command") LIKE '%win32_operatingsystem%'
      OR LOWER("Command") LIKE '%win32_bios%'
      OR LOWER("Command") LIKE '%win32_computersystem%'
      OR LOWER("Command") LIKE '%osversion%'
      OR LOWER("Command") LIKE '%$env:os%'
    ) THEN 1 ELSE 0 END AS is_ps_enum,
  CASE WHEN LOWER("Parent Process") IN ('wscript.exe','cscript.exe','mshta.exe','rundll32.exe','regsvr32.exe') THEN 1 ELSE 0 END AS suspicious_parent,
  CASE WHEN LOWER("Parent Process") IN ('winword.exe','excel.exe','outlook.exe','powerpnt.exe') THEN 1 ELSE 0 END AS office_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 376)
  AND (
    LOWER("Process Name") IN ('systeminfo.exe','msinfo32.exe')
    OR (
      LOWER("Process Name") = 'wmic.exe'
      AND (
        LOWER("Command") LIKE '% os get %'
        OR LOWER("Command") LIKE '% computersystem get %'
        OR LOWER("Command") LIKE '% bios get %'
        OR LOWER("Command") LIKE '% cpu get %'
        OR LOWER("Command") LIKE '% memorychip get %'
        OR LOWER("Command") LIKE '% csproduct get %'
      )
    )
    OR (
      LOWER("Process Name") = 'reg.exe'
      AND LOWER("Command") LIKE '%query%'
      AND (
        LOWER("Command") LIKE '%currentversion%'
        OR LOWER("Command") LIKE '%currentbuildnumber%'
        OR LOWER("Command") LIKE '%productname%'
        OR LOWER("Command") LIKE '%releaseid%'
        OR LOWER("Command") LIKE '%displayversion%'
      )
    )
    OR (
      LOWER("Process Name") IN ('powershell.exe','pwsh.exe')
      AND (
        LOWER("Command") LIKE '%get-computerinfo%'
        OR LOWER("Command") LIKE '%win32_operatingsystem%'
        OR LOWER("Command") LIKE '%win32_bios%'
        OR LOWER("Command") LIKE '%osversion%'
        OR LOWER("Command") LIKE '%$env:os%'
      )
    )
    OR (
      LOWER("Process Name") = 'cmd.exe'
      AND LOWER("Command") LIKE '% ver %'
    )
  )
ORDER BY event_time DESC
LAST 24 HOURS

Detects T1082 System Information Discovery using QRadar AQL against Windows Security Event Log (LOGSOURCETYPEID 12) and Sysmon (LOGSOURCETYPEID 376) log sources. Scores enumeration technique categories and flags suspicious or Office parent process chains.

medium severity high confidence

Data Sources

IBM QRadar with Windows Security Event Log DSM IBM QRadar with Microsoft Windows Sysmon DSM

Required Tables

events

False Positives

Endpoint management platforms such as IBM BigFix, Microsoft SCCM, or Ivanti running automated hardware and OS inventory collection tasks that invoke wmic.exe or systeminfo.exe on a scheduled basis
Security vulnerability scanners (e.g., Tenable Nessus, Qualys, Rapid7 InsightVM) authenticating to endpoints and running OS fingerprinting queries via WMI or reg.exe as part of authenticated scanning
Developers and DevOps engineers using PowerShell scripts with Get-ComputerInfo or Win32_OperatingSystem checks during CI/CD pipeline runs or environment provisioning automation

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*wineventlog*)
| where EventID = "1" OR EventID = "4688"
| parse field=Message "Image: *" as Image nodrop
| parse field=Message "CommandLine: *" as CommandLine nodrop
| parse field=Message "ParentImage: *" as ParentImage nodrop
| parse field=Message "User: *" as User nodrop
| eval Image_lower = toLowerCase(Image)
| eval CmdLine_lower = toLowerCase(CommandLine)
| eval Parent_lower = toLowerCase(ParentImage)
| where (
    Image_lower matches "*\\systeminfo.exe"
    OR Image_lower matches "*\\msinfo32.exe"
    OR (
      Image_lower matches "*\\wmic.exe"
      AND (
        CmdLine_lower matches "* os get *"
        OR CmdLine_lower matches "* computersystem get *"
        OR CmdLine_lower matches "* bios get *"
        OR CmdLine_lower matches "* cpu get *"
        OR CmdLine_lower matches "* memorychip get *"
        OR CmdLine_lower matches "* csproduct get *"
      )
    )
    OR (
      Image_lower matches "*\\reg.exe"
      AND CmdLine_lower matches "*query*"
      AND (
        CmdLine_lower matches "*currentversion*"
        OR CmdLine_lower matches "*currentbuildnumber*"
        OR CmdLine_lower matches "*productname*"
        OR CmdLine_lower matches "*releaseid*"
        OR CmdLine_lower matches "*displayversion*"
      )
    )
    OR (
      (Image_lower matches "*\\powershell.exe" OR Image_lower matches "*\\pwsh.exe")
      AND (
        CmdLine_lower matches "*get-computerinfo*"
        OR CmdLine_lower matches "*win32_operatingsystem*"
        OR CmdLine_lower matches "*win32_bios*"
        OR CmdLine_lower matches "*win32_computersystem*"
        OR CmdLine_lower matches "*osversion*"
        OR CmdLine_lower matches "*$env:os*"
        OR CmdLine_lower matches "*gwmi win32_os*"
      )
    )
    OR (
      Image_lower matches "*\\cmd.exe"
      AND CmdLine_lower matches "* ver *"
    )
  )
| eval IsSystemInfo = if(Image_lower matches "*(systeminfo|msinfo32).exe", 1, 0)
| eval IsWmicOsEnum = if(Image_lower matches "*wmic.exe" AND (CmdLine_lower matches "* os get *" OR CmdLine_lower matches "* computersystem get *" OR CmdLine_lower matches "* bios get *"), 1, 0)
| eval IsRegQuery = if(Image_lower matches "*reg.exe" AND CmdLine_lower matches "*query*" AND (CmdLine_lower matches "*currentversion*" OR CmdLine_lower matches "*productname*"), 1, 0)
| eval IsPSEnum = if((Image_lower matches "*powershell.exe" OR Image_lower matches "*pwsh.exe") AND (CmdLine_lower matches "*get-computerinfo*" OR CmdLine_lower matches "*win32_operatingsystem*" OR CmdLine_lower matches "*osversion*"), 1, 0)
| eval SuspiciousParent = if(Parent_lower matches "*(wscript|cscript|mshta|rundll32|regsvr32).exe", 1, 0)
| eval OfficeParent = if(Parent_lower matches "*(winword|excel|outlook|powerpnt).exe", 1, 0)
| eval TotalScore = IsSystemInfo + IsWmicOsEnum + IsRegQuery + IsPSEnum + SuspiciousParent + OfficeParent
| fields _messageTime, host, User, Image, CommandLine, ParentImage, IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum, SuspiciousParent, OfficeParent, TotalScore
| sort by _messageTime desc

Detects T1082 System Information Discovery in Sumo Logic using Sysmon Event ID 1 or Security Event 4688 process creation records. Parses Image, CommandLine, and ParentImage from raw message text and scores each detection category, flagging suspicious and Office parent chains.

medium severity high confidence

Data Sources

Sumo Logic with Windows Sysmon log collection Sumo Logic with Windows Security Event Log (4688 with command-line auditing enabled)

Required Tables

Windows Sysmon source category WinEventLog Security source category

False Positives

Automated patch management and compliance scanning tools (e.g., ManageEngine, Lansweeper, Spiceworks) that regularly collect OS build version and hardware metadata from endpoints for asset tracking
Helpdesk remote support agents (e.g., TeamViewer, ConnectWise, LogMeIn) running systeminfo.exe or PowerShell WMI queries interactively during end-user support sessions
Application compatibility shims and installers checking OS version, architecture, and available memory via wmic.exe or reg.exe CurrentVersion queries before beginning installation routines

Google Chronicle / SecOps

yaral

rule T1082_System_Information_Discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects System Information Discovery via systeminfo, msinfo32, wmic OS/hardware enumeration, reg.exe version queries, and PowerShell WMI system fingerprinting (MITRE ATT&CK T1082)"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1082"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1082/"
    severity = "MEDIUM"
    confidence = "HIGH"
    platform = "Windows"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.product_name = /Windows/i
    (
      re.regex($e.target.process.file.full_path, `(?i)(\\systeminfo\.exe|\\msinfo32\.exe)$`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(os\s+get|computersystem\s+get|bios\s+get|cpu\s+get|memorychip\s+get|csproduct\s+get)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bquery\b`) and
        re.regex($e.target.process.command_line, `(?i)(currentversion|currentbuildnumber|productname|releaseid|displayversion)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(get-computerinfo|win32_operatingsystem|win32_bios|win32_computersystem|osversion|\$env:os|gwmi\s+win32_os)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\cmd\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bver\b`)
      )
    )

  outcome:
    $suspicious_parent = re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32|svchost)\.exe$`)
    $office_parent = re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|mspub)\.exe$`)
    $process_image = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_image = $e.principal.process.file.full_path
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1082 System Information Discovery via UDM PROCESS_LAUNCH events. Matches systeminfo/msinfo32 execution, wmic OS/hardware enumeration, reg.exe version registry queries, and PowerShell WMI system fingerprinting. Outcome fields expose parent chain context for analyst triage.

medium severity high confidence

Data Sources

Google Chronicle with Windows Endpoint telemetry (via Ingestion API or Chronicle Forwarder) Chronicle with Microsoft Defender for Endpoint UDM feed

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

System Center Configuration Manager (SCCM/MECM) Hardware Inventory agent running wmic queries against Win32_OperatingSystem, Win32_BIOS, and Win32_ComputerSystem classes on a recurring collection schedule
Windows Deployment Services or MDT task sequences querying OS version via systeminfo.exe or reg.exe during post-installation setup phases to validate build prerequisites
Security operations scripts and runbooks that collect host baseline data (OS version, patch level, architecture) as a first step in incident response triage procedures run by analysts

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(systeminfo|msinfo32|wmic|reg|powershell|pwsh|cmd)\.exe$/i
| IsSystemInfo := if(FileName = /^(systeminfo|msinfo32)\.exe$/i, 1, 0)
| IsWmicOsEnum := if(
    FileName = /^wmic\.exe$/i AND
    CommandLine = /(?i)(os\s+get|computersystem\s+get|bios\s+get|cpu\s+get|memorychip\s+get|csproduct\s+get)/,
    1, 0
  )
| IsRegQuery := if(
    FileName = /^reg\.exe$/i AND
    CommandLine = /(?i)\bquery\b/ AND
    CommandLine = /(?i)(currentversion|currentbuildnumber|productname|releaseid|displayversion)/,
    1, 0
  )
| IsPSEnum := if(
    FileName = /^(powershell|pwsh)\.exe$/i AND
    CommandLine = /(?i)(get-computerinfo|win32_operatingsystem|win32_bios|win32_computersystem|osversion|\$env:os|gwmi\s+win32_os)/,
    1, 0
  )
| IsCmdVer := if(
    FileName = /^cmd\.exe$/i AND
    CommandLine = /(?i)\bver\b/,
    1, 0
  )
| where IsSystemInfo = 1 OR IsWmicOsEnum = 1 OR IsRegQuery = 1 OR IsPSEnum = 1 OR IsCmdVer = 1
| SuspiciousParent := if(
    ParentBaseFileName = /^(wscript|cscript|mshta|rundll32|regsvr32|svchost|services)\.exe$/i,
    1, 0
  )
| OfficeParent := if(
    ParentBaseFileName = /^(winword|excel|outlook|powerpnt|mspub)\.exe$/i,
    1, 0
  )
| TotalScore := IsSystemInfo + IsWmicOsEnum + IsRegQuery + IsPSEnum + IsCmdVer + SuspiciousParent + OfficeParent
| select(
    [timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine,
     IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum, IsCmdVer,
     SuspiciousParent, OfficeParent, TotalScore]
  )
| sort(field=timestamp, order=desc)

Detects T1082 System Information Discovery in CrowdStrike Falcon LogScale using ProcessRollup2 events. Matches systeminfo/msinfo32, wmic OS/hardware enumeration, reg.exe version registry queries, PowerShell WMI fingerprinting, and cmd.exe ver. Computes a composite risk score and surfaces suspicious or Office parent process chains for analyst triage.

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 events via LogScale/Humio)

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon sensor itself or other EDR agents performing self-registration and host fingerprinting on startup, which may invoke WMI or registry queries to identify OS version and architecture for sensor compatibility checks
Enterprise software distribution systems (SCCM, Intune, Jamf for Windows) that enumerate OS version, installed hotfixes, and hardware configuration before deploying software packages or enforcing compliance baselines
Penetration testers or red teamers operating under an authorized engagement who run systeminfo.exe or PowerShell WMI discovery as part of a post-exploitation simulation with documented scope

Sigma rule & cross-platform mapping

The detection logic for System Information Discovery (T1082) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1082 Sigma rules on detection.fyi

Platform-specific guides for T1082

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1System Information Enumeration via systeminfo.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\systeminfo.exe, CommandLine containing redirect to temp file. Sysmon Event ID 11: File Create event for %TEMP%\sysinfo_out.txt. Security Event ID 4688 if command line auditing enabled.
Test 2WMI OS and Hardware Discovery via wmic.exe
Expected signal: Sysmon Event ID 1: Four separate Process Create events for wmic.exe, each with distinct CommandLine arguments containing 'os get', 'computersystem get', 'bios get', 'cpu get'. Multiple rapid wmic executions from the same parent within seconds is particularly notable.
Test 3PowerShell WMI-based System Profiling
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-CimInstance Win32_OperatingSystem' and 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) with full script content showing WMI class queries.
Test 4Registry Query for Windows Version Information
Expected signal: Sysmon Event ID 1: Three Process Create events for reg.exe, each querying HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion for different value names. Sysmon Event ID 13 (Registry Value Set) is NOT generated because these are read operations; detection relies on process creation with reg.exe command line analysis.
Test 5Linux System Information Discovery via uname and /etc/os-release
Expected signal: Linux auditd syscall records for execve of /usr/bin/uname, /bin/cat with arguments /etc/os-release and /proc/version, /usr/bin/hostnamectl, /usr/bin/lscpu. Syslog entries if process accounting is enabled. In cloud environments, these commands may appear in CloudTrail/GCP audit logs if executed via SSM Session Manager or similar.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1082 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Information Discovery

What is T1082 System Information Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1082

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1082 System Information Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1082

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox