title: System Information Discovery (T1082)
id: df00tech-t1082
status: experimental
description: "Adversaries may attempt to gather detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Tools such as systeminfo, wmic, ver, and uname can be used to enumerate this data. Adversaries use this information to shape follow-on behaviors, including payload targeting, privilege escalation path selection, and evasion tuning. On ESXi, esxcli utilities expose system version and hostname. In cloud IaaS environments, authenticated API calls can return OS platform and instance metadata. This technique is frequently observed early in post-exploitation chains as part of host fingerprinting."
references:
  - https://attack.mitre.org/techniques/T1082/
  - https://df00tech.com/detections/T1082
author: df00tech
date: 2026/04/13
tags:
  - attack.t1082
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT operations scripts and monitoring agents (Zabbix, SolarWinds, SCCM inventory) that routinely collect system information"
  - Software installers checking OS version compatibility before installing packages
  - Help desk and remote support tools that gather system information for troubleshooting tickets
  - "Vulnerability scanners and compliance auditing tools (Tenable, Qualys, CrowdStrike Spotlight) enumerating host details"
  - Developer workstations where engineers query system info for build environment validation
level: low