Which SIEM platforms have a T1082 detection rule?

df00tech provides T1082 (System Information Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Information Discovery (T1082)?

Detecting System Information Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1082 detection?

The T1082 detection is rated low severity with medium confidence.

What are common false positives for T1082?

Common false positives for T1082 include: IT operations scripts and monitoring agents (Zabbix, SolarWinds, SCCM inventory) that routinely collect system information; Software installers checking OS version compatibility before installing packages; Help desk and remote support tools that gather system information for troubleshooting tickets.

T1082 Sumo Logic CSE · Sumo

Detect System Information Discovery in Sumo Logic CSE

Adversaries may attempt to gather detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Tools such as systeminfo, wmic, ver, and uname can be used to enumerate this data. Adversaries use this information to shape follow-on behaviors, including payload targeting, privilege escalation path selection, and evasion tuning. On ESXi, esxcli utilities expose system version and hostname. In cloud IaaS environments, authenticated API calls can return OS platform and instance metadata. This technique is frequently observed early in post-exploitation chains as part of host fingerprinting.

MITRE ATT&CK

Tactic: Discovery
Technique: T1082 System Information Discovery
Canonical reference: https://attack.mitre.org/techniques/T1082/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*wineventlog*)
| where EventID = "1" OR EventID = "4688"
| parse field=Message "Image: *" as Image nodrop
| parse field=Message "CommandLine: *" as CommandLine nodrop
| parse field=Message "ParentImage: *" as ParentImage nodrop
| parse field=Message "User: *" as User nodrop
| eval Image_lower = toLowerCase(Image)
| eval CmdLine_lower = toLowerCase(CommandLine)
| eval Parent_lower = toLowerCase(ParentImage)
| where (
    Image_lower matches "*\\systeminfo.exe"
    OR Image_lower matches "*\\msinfo32.exe"
    OR (
      Image_lower matches "*\\wmic.exe"
      AND (
        CmdLine_lower matches "* os get *"
        OR CmdLine_lower matches "* computersystem get *"
        OR CmdLine_lower matches "* bios get *"
        OR CmdLine_lower matches "* cpu get *"
        OR CmdLine_lower matches "* memorychip get *"
        OR CmdLine_lower matches "* csproduct get *"
      )
    )
    OR (
      Image_lower matches "*\\reg.exe"
      AND CmdLine_lower matches "*query*"
      AND (
        CmdLine_lower matches "*currentversion*"
        OR CmdLine_lower matches "*currentbuildnumber*"
        OR CmdLine_lower matches "*productname*"
        OR CmdLine_lower matches "*releaseid*"
        OR CmdLine_lower matches "*displayversion*"
      )
    )
    OR (
      (Image_lower matches "*\\powershell.exe" OR Image_lower matches "*\\pwsh.exe")
      AND (
        CmdLine_lower matches "*get-computerinfo*"
        OR CmdLine_lower matches "*win32_operatingsystem*"
        OR CmdLine_lower matches "*win32_bios*"
        OR CmdLine_lower matches "*win32_computersystem*"
        OR CmdLine_lower matches "*osversion*"
        OR CmdLine_lower matches "*$env:os*"
        OR CmdLine_lower matches "*gwmi win32_os*"
      )
    )
    OR (
      Image_lower matches "*\\cmd.exe"
      AND CmdLine_lower matches "* ver *"
    )
  )
| eval IsSystemInfo = if(Image_lower matches "*(systeminfo|msinfo32).exe", 1, 0)
| eval IsWmicOsEnum = if(Image_lower matches "*wmic.exe" AND (CmdLine_lower matches "* os get *" OR CmdLine_lower matches "* computersystem get *" OR CmdLine_lower matches "* bios get *"), 1, 0)
| eval IsRegQuery = if(Image_lower matches "*reg.exe" AND CmdLine_lower matches "*query*" AND (CmdLine_lower matches "*currentversion*" OR CmdLine_lower matches "*productname*"), 1, 0)
| eval IsPSEnum = if((Image_lower matches "*powershell.exe" OR Image_lower matches "*pwsh.exe") AND (CmdLine_lower matches "*get-computerinfo*" OR CmdLine_lower matches "*win32_operatingsystem*" OR CmdLine_lower matches "*osversion*"), 1, 0)
| eval SuspiciousParent = if(Parent_lower matches "*(wscript|cscript|mshta|rundll32|regsvr32).exe", 1, 0)
| eval OfficeParent = if(Parent_lower matches "*(winword|excel|outlook|powerpnt).exe", 1, 0)
| eval TotalScore = IsSystemInfo + IsWmicOsEnum + IsRegQuery + IsPSEnum + SuspiciousParent + OfficeParent
| fields _messageTime, host, User, Image, CommandLine, ParentImage, IsSystemInfo, IsWmicOsEnum, IsRegQuery, IsPSEnum, SuspiciousParent, OfficeParent, TotalScore
| sort by _messageTime desc

medium severity high confidence

Detects T1082 System Information Discovery in Sumo Logic using Sysmon Event ID 1 or Security Event 4688 process creation records. Parses Image, CommandLine, and ParentImage from raw message text and scores each detection category, flagging suspicious and Office parent chains.

Data Sources

Sumo Logic with Windows Sysmon log collectionSumo Logic with Windows Security Event Log (4688 with command-line auditing enabled)

Required Tables

Windows Sysmon source categoryWinEventLog Security source category

False Positives & Tuning

Automated patch management and compliance scanning tools (e.g., ManageEngine, Lansweeper, Spiceworks) that regularly collect OS build version and hardware metadata from endpoints for asset tracking
Helpdesk remote support agents (e.g., TeamViewer, ConnectWise, LogMeIn) running systeminfo.exe or PowerShell WMI queries interactively during end-user support sessions
Application compatibility shims and installers checking OS version, architecture, and available memory via wmic.exe or reg.exe CurrentVersion queries before beginning installation routines

Download portable Sigma rule (.yml)

Other platforms for T1082

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1System Information Enumeration via systeminfo.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\systeminfo.exe, CommandLine containing redirect to temp file. Sysmon Event ID 11: File Create event for %TEMP%\sysinfo_out.txt. Security Event ID 4688 if command line auditing enabled.
Test 2WMI OS and Hardware Discovery via wmic.exe
Expected signal: Sysmon Event ID 1: Four separate Process Create events for wmic.exe, each with distinct CommandLine arguments containing 'os get', 'computersystem get', 'bios get', 'cpu get'. Multiple rapid wmic executions from the same parent within seconds is particularly notable.
Test 3PowerShell WMI-based System Profiling
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-CimInstance Win32_OperatingSystem' and 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) with full script content showing WMI class queries.
Test 4Registry Query for Windows Version Information
Expected signal: Sysmon Event ID 1: Three Process Create events for reg.exe, each querying HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion for different value names. Sysmon Event ID 13 (Registry Value Set) is NOT generated because these are read operations; detection relies on process creation with reg.exe command line analysis.
Test 5Linux System Information Discovery via uname and /etc/os-release
Expected signal: Linux auditd syscall records for execve of /usr/bin/uname, /bin/cat with arguments /etc/os-release and /proc/version, /usr/bin/hostnamectl, /usr/bin/lscpu. Syslog entries if process accounting is enabled. In cloud environments, these commands may appear in CloudTrail/GCP audit logs if executed via SSM Session Manager or similar.

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1082 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect System Information Discovery in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1082

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1082

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox