T1082

System Information Discovery

Adversaries may attempt to gather detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Tools such as systeminfo, wmic, ver, and uname can be used to enumerate this data. Adversaries use this information to shape follow-on behaviors, including payload targeting, privilege escalation path selection, and evasion tuning. On ESXi, esxcli utilities expose system version and hostname. In cloud IaaS environments, authenticated API calls can return OS platform and instance metadata. This technique is frequently observed early in post-exploitation chains as part of host fingerprinting.

Microsoft Sentinel / Defender

kusto

let SysInfoTools = dynamic(["systeminfo.exe", "msinfo32.exe"]);
let WmicSysPatterns = dynamic(["os get", "computersystem get", "bios get", "cpu get", "memorychip get", "csproduct get"]);
let RegVersionPaths = dynamic(["CurrentVersion", "CurrentBuildNumber", "ProductName", "ReleaseId", "DisplayVersion"]);
let PSInfoPatterns = dynamic(["Get-ComputerInfo", "Get-WmiObject Win32_OperatingSystem", "Get-CimInstance Win32_OperatingSystem", "[System.Environment]::OSVersion", "$env:OS", "gwmi Win32_OS"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    FileName in~ (SysInfoTools)
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicSysPatterns))
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any (RegVersionPaths) and ProcessCommandLine has "query")
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSPatterns))
    or (FileName =~ "cmd.exe" and ProcessCommandLine has "ver")
)
| extend IsSystemInfo = FileName in~ (SysInfoTools)
| extend IsWmicOsEnum = FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicSysPatterns)
| extend IsRegQuery = FileName =~ "reg.exe" and ProcessCommandLine has_any (RegVersionPaths)
| extend IsPSEnum = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSInfoPatterns)
| extend SuspiciousParent = InitiatingProcessFileName in~ ("cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe", "services.exe")
| extend OfficeParent = InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "mspub.exe")
| where IsSystemInfo or IsWmicOsEnum or IsRegQuery or IsPSEnum
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum,
         SuspiciousParent, OfficeParent
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT operations scripts and monitoring agents (Zabbix, SolarWinds, SCCM inventory) that routinely collect system information
Software installers checking OS version compatibility before installing packages
Help desk and remote support tools that gather system information for troubleshooting tickets
Vulnerability scanners and compliance auditing tools (Tenable, Qualys, CrowdStrike Spotlight) enumerating host details
Developer workstations where engineers query system info for build environment validation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval CommandLine_lower=lower(CommandLine)
| eval ParentImage_lower=lower(ParentImage)
| eval IsSystemInfo=if(match(Image_lower, "(systeminfo\.exe|msinfo32\.exe)"), 1, 0)
| eval IsWmicOsEnum=if(match(Image_lower, "wmic\.exe") AND match(CommandLine_lower, "(os\s+get|computersystem\s+get|bios\s+get|cpu\s+get|memorychip\s+get|csproduct\s+get)"), 1, 0)
| eval IsRegQuery=if(match(Image_lower, "reg\.exe") AND match(CommandLine_lower, "query") AND match(CommandLine_lower, "(currentversion|currentbuildnumber|productname|releaseid|displayversion)"), 1, 0)
| eval IsPSEnum=if((match(Image_lower, "(powershell\.exe|pwsh\.exe)")) AND match(CommandLine_lower, "(get-computerinfo|win32_operatingsystem|win32_bios|win32_computersystem|osversion|\$env:os)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage_lower, "(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)"), 1, 0)
| eval OfficeParent=if(match(ParentImage_lower, "(winword\.exe|excel\.exe|outlook\.exe|powerpnt\.exe)"), 1, 0)
| where IsSystemInfo=1 OR IsWmicOsEnum=1 OR IsRegQuery=1 OR IsPSEnum=1
| eval TotalScore=IsSystemInfo + IsWmicOsEnum + IsRegQuery + IsPSEnum + SuspiciousParent + OfficeParent
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum, SuspiciousParent, OfficeParent, TotalScore
| sort - _time

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT operations scripts and monitoring agents (Zabbix, SolarWinds, SCCM inventory) that routinely collect system information
Software installers checking OS version compatibility before installing packages
Help desk and remote support tools that gather system information for troubleshooting tickets
Vulnerability scanners and compliance auditing tools (Tenable, Qualys) enumerating host details
Developer workstations where engineers query system info for build environment validation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process" AS parent_process,
  CASE WHEN LOWER("Process Name") IN ('systeminfo.exe','msinfo32.exe') THEN 1 ELSE 0 END AS is_sysinfo_tool,
  CASE WHEN LOWER("Process Name") = 'wmic.exe'
    AND (
      LOWER("Command") LIKE '% os get %'
      OR LOWER("Command") LIKE '% computersystem get %'
      OR LOWER("Command") LIKE '% bios get %'
      OR LOWER("Command") LIKE '% cpu get %'
      OR LOWER("Command") LIKE '% memorychip get %'
      OR LOWER("Command") LIKE '% csproduct get %'
    ) THEN 1 ELSE 0 END AS is_wmic_os_enum,
  CASE WHEN LOWER("Process Name") = 'reg.exe'
    AND LOWER("Command") LIKE '%query%'
    AND (
      LOWER("Command") LIKE '%currentversion%'
      OR LOWER("Command") LIKE '%currentbuildnumber%'
      OR LOWER("Command") LIKE '%productname%'
      OR LOWER("Command") LIKE '%releaseid%'
      OR LOWER("Command") LIKE '%displayversion%'
    ) THEN 1 ELSE 0 END AS is_reg_query,
  CASE WHEN LOWER("Process Name") IN ('powershell.exe','pwsh.exe')
    AND (
      LOWER("Command") LIKE '%get-computerinfo%'
      OR LOWER("Command") LIKE '%win32_operatingsystem%'
      OR LOWER("Command") LIKE '%win32_bios%'
      OR LOWER("Command") LIKE '%win32_computersystem%'
      OR LOWER("Command") LIKE '%osversion%'
      OR LOWER("Command") LIKE '%$env:os%'
    ) THEN 1 ELSE 0 END AS is_ps_enum,
  CASE WHEN LOWER("Parent Process") IN ('wscript.exe','cscript.exe','mshta.exe','rundll32.exe','regsvr32.exe') THEN 1 ELSE 0 END AS suspicious_parent,
  CASE WHEN LOWER("Parent Process") IN ('winword.exe','excel.exe','outlook.exe','powerpnt.exe') THEN 1 ELSE 0 END AS office_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 376)
  AND (
    LOWER("Process Name") IN ('systeminfo.exe','msinfo32.exe')
    OR (
      LOWER("Process Name") = 'wmic.exe'
      AND (
        LOWER("Command") LIKE '% os get %'
        OR LOWER("Command") LIKE '% computersystem get %'
        OR LOWER("Command") LIKE '% bios get %'
        OR LOWER("Command") LIKE '% cpu get %'
        OR LOWER("Command") LIKE '% memorychip get %'
        OR LOWER("Command") LIKE '% csproduct get %'
      )
    )
    OR (
      LOWER("Process Name") = 'reg.exe'
      AND LOWER("Command") LIKE '%query%'
      AND (
        LOWER("Command") LIKE '%currentversion%'
        OR LOWER("Command") LIKE '%currentbuildnumber%'
        OR LOWER("Command") LIKE '%productname%'
        OR LOWER("Command") LIKE '%releaseid%'
        OR LOWER("Command") LIKE '%displayversion%'
      )
    )
    OR (
      LOWER("Process Name") IN ('powershell.exe','pwsh.exe')
      AND (
        LOWER("Command") LIKE '%get-computerinfo%'
        OR LOWER("Command") LIKE '%win32_operatingsystem%'
        OR LOWER("Command") LIKE '%win32_bios%'
        OR LOWER("Command") LIKE '%osversion%'
        OR LOWER("Command") LIKE '%$env:os%'
      )
    )
    OR (
      LOWER("Process Name") = 'cmd.exe'
      AND LOWER("Command") LIKE '% ver %'
    )
  )
ORDER BY event_time DESC
LAST 24 HOURS

medium severity high confidence

Data Sources

IBM QRadar with Windows Security Event Log DSM IBM QRadar with Microsoft Windows Sysmon DSM

Required Tables

events

False Positives

Endpoint management platforms such as IBM BigFix, Microsoft SCCM, or Ivanti running automated hardware and OS inventory collection tasks that invoke wmic.exe or systeminfo.exe on a scheduled basis
Security vulnerability scanners (e.g., Tenable Nessus, Qualys, Rapid7 InsightVM) authenticating to endpoints and running OS fingerprinting queries via WMI or reg.exe as part of authenticated scanning
Developers and DevOps engineers using PowerShell scripts with Get-ComputerInfo or Win32_OperatingSystem checks during CI/CD pipeline runs or environment provisioning automation

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*wineventlog*)
| where EventID = "1" OR EventID = "4688"
| parse field=Message "Image: *" as Image nodrop
| parse field=Message "CommandLine: *" as CommandLine nodrop
| parse field=Message "ParentImage: *" as ParentImage nodrop
| parse field=Message "User: *" as User nodrop
| eval Image_lower = toLowerCase(Image)
| eval CmdLine_lower = toLowerCase(CommandLine)
| eval Parent_lower = toLowerCase(ParentImage)
| where (
    Image_lower matches "*\\systeminfo.exe"
    OR Image_lower matches "*\\msinfo32.exe"
    OR (
      Image_lower matches "*\\wmic.exe"
      AND (
        CmdLine_lower matches "* os get *"
        OR CmdLine_lower matches "* computersystem get *"
        OR CmdLine_lower matches "* bios get *"
        OR CmdLine_lower matches "* cpu get *"
        OR CmdLine_lower matches "* memorychip get *"
        OR CmdLine_lower matches "* csproduct get *"
      )
    )
    OR (
      Image_lower matches "*\\reg.exe"
      AND CmdLine_lower matches "*query*"
      AND (
        CmdLine_lower matches "*currentversion*"
        OR CmdLine_lower matches "*currentbuildnumber*"
        OR CmdLine_lower matches "*productname*"
        OR CmdLine_lower matches "*releaseid*"
        OR CmdLine_lower matches "*displayversion*"
      )
    )
    OR (
      (Image_lower matches "*\\powershell.exe" OR Image_lower matches "*\\pwsh.exe")
      AND (
        CmdLine_lower matches "*get-computerinfo*"
        OR CmdLine_lower matches "*win32_operatingsystem*"
        OR CmdLine_lower matches "*win32_bios*"
        OR CmdLine_lower matches "*win32_computersystem*"
        OR CmdLine_lower matches "*osversion*"
        OR CmdLine_lower matches "*$env:os*"
        OR CmdLine_lower matches "*gwmi win32_os*"
      )
    )
    OR (
      Image_lower matches "*\\cmd.exe"
      AND CmdLine_lower matches "* ver *"
    )
  )
| eval IsSystemInfo = if(Image_lower matches "*(systeminfo|msinfo32).exe", 1, 0)
| eval IsWmicOsEnum = if(Image_lower matches "*wmic.exe" AND (CmdLine_lower matches "* os get *" OR CmdLine_lower matches "* computersystem get *" OR CmdLine_lower matches "* bios get *"), 1, 0)
| eval IsRegQuery = if(Image_lower matches "*reg.exe" AND CmdLine_lower matches "*query*" AND (CmdLine_lower matches "*currentversion*" OR CmdLine_lower matches "*productname*"), 1, 0)
| eval IsPSEnum = if((Image_lower matches "*powershell.exe" OR Image_lower matches "*pwsh.exe") AND (CmdLine_lower matches "*get-computerinfo*" OR CmdLine_lower matches "*win32_operatingsystem*" OR CmdLine_lower matches "*osversion*"), 1, 0)
| eval SuspiciousParent = if(Parent_lower matches "*(wscript|cscript|mshta|rundll32|regsvr32).exe", 1, 0)
| eval OfficeParent = if(Parent_lower matches "*(winword|excel|outlook|powerpnt).exe", 1, 0)
| eval TotalScore = IsSystemInfo + IsWmicOsEnum + IsRegQuery + IsPSEnum + SuspiciousParent + OfficeParent
| fields _messageTime, host, User, Image, CommandLine, ParentImage, IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum, SuspiciousParent, OfficeParent, TotalScore
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic with Windows Sysmon log collection Sumo Logic with Windows Security Event Log (4688 with command-line auditing enabled)

Required Tables

Windows Sysmon source category WinEventLog Security source category

False Positives

Automated patch management and compliance scanning tools (e.g., ManageEngine, Lansweeper, Spiceworks) that regularly collect OS build version and hardware metadata from endpoints for asset tracking
Helpdesk remote support agents (e.g., TeamViewer, ConnectWise, LogMeIn) running systeminfo.exe or PowerShell WMI queries interactively during end-user support sessions
Application compatibility shims and installers checking OS version, architecture, and available memory via wmic.exe or reg.exe CurrentVersion queries before beginning installation routines

Google Chronicle / SecOps

yaral

rule T1082_System_Information_Discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects System Information Discovery via systeminfo, msinfo32, wmic OS/hardware enumeration, reg.exe version queries, and PowerShell WMI system fingerprinting (MITRE ATT&CK T1082)"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1082"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1082/"
    severity = "MEDIUM"
    confidence = "HIGH"
    platform = "Windows"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.product_name = /Windows/i
    (
      re.regex($e.target.process.file.full_path, `(?i)(\\systeminfo\.exe|\\msinfo32\.exe)$`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(os\s+get|computersystem\s+get|bios\s+get|cpu\s+get|memorychip\s+get|csproduct\s+get)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bquery\b`) and
        re.regex($e.target.process.command_line, `(?i)(currentversion|currentbuildnumber|productname|releaseid|displayversion)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(get-computerinfo|win32_operatingsystem|win32_bios|win32_computersystem|osversion|\$env:os|gwmi\s+win32_os)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\cmd\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bver\b`)
      )
    )

  outcome:
    $suspicious_parent = re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32|svchost)\.exe$`)
    $office_parent = re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|mspub)\.exe$`)
    $process_image = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_image = $e.principal.process.file.full_path
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle with Windows Endpoint telemetry (via Ingestion API or Chronicle Forwarder) Chronicle with Microsoft Defender for Endpoint UDM feed

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

System Center Configuration Manager (SCCM/MECM) Hardware Inventory agent running wmic queries against Win32_OperatingSystem, Win32_BIOS, and Win32_ComputerSystem classes on a recurring collection schedule
Windows Deployment Services or MDT task sequences querying OS version via systeminfo.exe or reg.exe during post-installation setup phases to validate build prerequisites
Security operations scripts and runbooks that collect host baseline data (OS version, patch level, architecture) as a first step in incident response triage procedures run by analysts

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(systeminfo|msinfo32|wmic|reg|powershell|pwsh|cmd)\.exe$/i
| IsSystemInfo := if(FileName = /^(systeminfo|msinfo32)\.exe$/i, 1, 0)
| IsWmicOsEnum := if(
    FileName = /^wmic\.exe$/i AND
    CommandLine = /(?i)(os\s+get|computersystem\s+get|bios\s+get|cpu\s+get|memorychip\s+get|csproduct\s+get)/,
    1, 0
  )
| IsRegQuery := if(
    FileName = /^reg\.exe$/i AND
    CommandLine = /(?i)\bquery\b/ AND
    CommandLine = /(?i)(currentversion|currentbuildnumber|productname|releaseid|displayversion)/,
    1, 0
  )
| IsPSEnum := if(
    FileName = /^(powershell|pwsh)\.exe$/i AND
    CommandLine = /(?i)(get-computerinfo|win32_operatingsystem|win32_bios|win32_computersystem|osversion|\$env:os|gwmi\s+win32_os)/,
    1, 0
  )
| IsCmdVer := if(
    FileName = /^cmd\.exe$/i AND
    CommandLine = /(?i)\bver\b/,
    1, 0
  )
| where IsSystemInfo = 1 OR IsWmicOsEnum = 1 OR IsRegQuery = 1 OR IsPSEnum = 1 OR IsCmdVer = 1
| SuspiciousParent := if(
    ParentBaseFileName = /^(wscript|cscript|mshta|rundll32|regsvr32|svchost|services)\.exe$/i,
    1, 0
  )
| OfficeParent := if(
    ParentBaseFileName = /^(winword|excel|outlook|powerpnt|mspub)\.exe$/i,
    1, 0
  )
| TotalScore := IsSystemInfo + IsWmicOsEnum + IsRegQuery + IsPSEnum + IsCmdVer + SuspiciousParent + OfficeParent
| select(
    [timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine,
     IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum, IsCmdVer,
     SuspiciousParent, OfficeParent, TotalScore]
  )
| sort(field=timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 events via LogScale/Humio)

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon sensor itself or other EDR agents performing self-registration and host fingerprinting on startup, which may invoke WMI or registry queries to identify OS version and architecture for sensor compatibility checks
Enterprise software distribution systems (SCCM, Intune, Jamf for Windows) that enumerate OS version, installed hotfixes, and hardware configuration before deploying software packages or enforcing compliance baselines
Penetration testers or red teamers operating under an authorized engagement who run systeminfo.exe or PowerShell WMI discovery as part of a post-exploitation simulation with documented scope

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1082 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Information Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections