T1082 IBM QRadar · QRadar

Detect System Information Discovery in IBM QRadar

Adversaries may attempt to gather detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Tools such as systeminfo, wmic, ver, and uname can be used to enumerate this data. Adversaries use this information to shape follow-on behaviors, including payload targeting, privilege escalation path selection, and evasion tuning. On ESXi, esxcli utilities expose system version and hostname. In cloud IaaS environments, authenticated API calls can return OS platform and instance metadata. This technique is frequently observed early in post-exploitation chains as part of host fingerprinting.

MITRE ATT&CK

Tactic
Discovery
Technique
T1082 System Information Discovery
Canonical reference
https://attack.mitre.org/techniques/T1082/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process" AS parent_process,
  CASE WHEN LOWER("Process Name") IN ('systeminfo.exe','msinfo32.exe') THEN 1 ELSE 0 END AS is_sysinfo_tool,
  CASE WHEN LOWER("Process Name") = 'wmic.exe'
    AND (
      LOWER("Command") LIKE '% os get %'
      OR LOWER("Command") LIKE '% computersystem get %'
      OR LOWER("Command") LIKE '% bios get %'
      OR LOWER("Command") LIKE '% cpu get %'
      OR LOWER("Command") LIKE '% memorychip get %'
      OR LOWER("Command") LIKE '% csproduct get %'
    ) THEN 1 ELSE 0 END AS is_wmic_os_enum,
  CASE WHEN LOWER("Process Name") = 'reg.exe'
    AND LOWER("Command") LIKE '%query%'
    AND (
      LOWER("Command") LIKE '%currentversion%'
      OR LOWER("Command") LIKE '%currentbuildnumber%'
      OR LOWER("Command") LIKE '%productname%'
      OR LOWER("Command") LIKE '%releaseid%'
      OR LOWER("Command") LIKE '%displayversion%'
    ) THEN 1 ELSE 0 END AS is_reg_query,
  CASE WHEN LOWER("Process Name") IN ('powershell.exe','pwsh.exe')
    AND (
      LOWER("Command") LIKE '%get-computerinfo%'
      OR LOWER("Command") LIKE '%win32_operatingsystem%'
      OR LOWER("Command") LIKE '%win32_bios%'
      OR LOWER("Command") LIKE '%win32_computersystem%'
      OR LOWER("Command") LIKE '%osversion%'
      OR LOWER("Command") LIKE '%$env:os%'
    ) THEN 1 ELSE 0 END AS is_ps_enum,
  CASE WHEN LOWER("Parent Process") IN ('wscript.exe','cscript.exe','mshta.exe','rundll32.exe','regsvr32.exe') THEN 1 ELSE 0 END AS suspicious_parent,
  CASE WHEN LOWER("Parent Process") IN ('winword.exe','excel.exe','outlook.exe','powerpnt.exe') THEN 1 ELSE 0 END AS office_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 376)
  AND (
    LOWER("Process Name") IN ('systeminfo.exe','msinfo32.exe')
    OR (
      LOWER("Process Name") = 'wmic.exe'
      AND (
        LOWER("Command") LIKE '% os get %'
        OR LOWER("Command") LIKE '% computersystem get %'
        OR LOWER("Command") LIKE '% bios get %'
        OR LOWER("Command") LIKE '% cpu get %'
        OR LOWER("Command") LIKE '% memorychip get %'
        OR LOWER("Command") LIKE '% csproduct get %'
      )
    )
    OR (
      LOWER("Process Name") = 'reg.exe'
      AND LOWER("Command") LIKE '%query%'
      AND (
        LOWER("Command") LIKE '%currentversion%'
        OR LOWER("Command") LIKE '%currentbuildnumber%'
        OR LOWER("Command") LIKE '%productname%'
        OR LOWER("Command") LIKE '%releaseid%'
        OR LOWER("Command") LIKE '%displayversion%'
      )
    )
    OR (
      LOWER("Process Name") IN ('powershell.exe','pwsh.exe')
      AND (
        LOWER("Command") LIKE '%get-computerinfo%'
        OR LOWER("Command") LIKE '%win32_operatingsystem%'
        OR LOWER("Command") LIKE '%win32_bios%'
        OR LOWER("Command") LIKE '%osversion%'
        OR LOWER("Command") LIKE '%$env:os%'
      )
    )
    OR (
      LOWER("Process Name") = 'cmd.exe'
      AND LOWER("Command") LIKE '% ver %'
    )
  )
ORDER BY event_time DESC
LAST 24 HOURS
medium severity high confidence

Detects T1082 System Information Discovery using QRadar AQL against Windows Security Event Log (LOGSOURCETYPEID 12) and Sysmon (LOGSOURCETYPEID 376) log sources. Scores enumeration technique categories and flags suspicious or Office parent process chains.

Data Sources

IBM QRadar with Windows Security Event Log DSMIBM QRadar with Microsoft Windows Sysmon DSM

Required Tables

events

False Positives & Tuning

  • Endpoint management platforms such as IBM BigFix, Microsoft SCCM, or Ivanti running automated hardware and OS inventory collection tasks that invoke wmic.exe or systeminfo.exe on a scheduled basis
  • Security vulnerability scanners (e.g., Tenable Nessus, Qualys, Rapid7 InsightVM) authenticating to endpoints and running OS fingerprinting queries via WMI or reg.exe as part of authenticated scanning
  • Developers and DevOps engineers using PowerShell scripts with Get-ComputerInfo or Win32_OperatingSystem checks during CI/CD pipeline runs or environment provisioning automation
Download portable Sigma rule (.yml)

Other platforms for T1082

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1System Information Enumeration via systeminfo.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\systeminfo.exe, CommandLine containing redirect to temp file. Sysmon Event ID 11: File Create event for %TEMP%\sysinfo_out.txt. Security Event ID 4688 if command line auditing enabled.

  2. Test 2WMI OS and Hardware Discovery via wmic.exe

    Expected signal: Sysmon Event ID 1: Four separate Process Create events for wmic.exe, each with distinct CommandLine arguments containing 'os get', 'computersystem get', 'bios get', 'cpu get'. Multiple rapid wmic executions from the same parent within seconds is particularly notable.

  3. Test 3PowerShell WMI-based System Profiling

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-CimInstance Win32_OperatingSystem' and 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) with full script content showing WMI class queries.

  4. Test 4Registry Query for Windows Version Information

    Expected signal: Sysmon Event ID 1: Three Process Create events for reg.exe, each querying HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion for different value names. Sysmon Event ID 13 (Registry Value Set) is NOT generated because these are read operations; detection relies on process creation with reg.exe command line analysis.

  5. Test 5Linux System Information Discovery via uname and /etc/os-release

    Expected signal: Linux auditd syscall records for execve of /usr/bin/uname, /bin/cat with arguments /etc/os-release and /proc/version, /usr/bin/hostnamectl, /usr/bin/lscpu. Syslog entries if process accounting is enabled. In cloud environments, these commands may appear in CloudTrail/GCP audit logs if executed via SSM Session Manager or similar.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1082 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1049System Network Connections DiscoveryT1057Process DiscoveryT1007System Service DiscoveryT1087Account DiscoveryT1069Permission Groups DiscoveryT1518Software DiscoveryT1497.001System ChecksT1059.001PowerShell

Same Tactic: Discovery

Popular Detections