Skip to content

DET0525 System Discovery via Native and Remote Utilities

Item Value
ID DET0525
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1082 (System Information Discovery)

Analytics

Windows

AN1452

Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
TimeWindow Detect multiple discovery commands executed in short succession.
UserContext Scope alerts to unusual user accounts or service accounts.

Linux

AN1453

Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
CommandList Customize list of commands of interest (e.g., uname, lscpu, etc.)
TerminalSessionID Correlate sessions for behavior context.

macOS

AN1454

Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log show –predicate ‘process ==
Mutable Elements
Field Description
ParentProcess Determine if script or terminal executed the command.
FrequencyThreshold Number of discovery commands in a short window.

ESXi

AN1455

Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:vmkernel /var/log/vmkernel.log
Mutable Elements
Field Description
SessionOrigin Track SSH or console-based entry points.
CommandString Customize detection for expected CLI queries.

IaaS

AN1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

Log Sources
Data Component Name Channel
Instance Enumeration (DC0075) AWS:CloudTrail DescribeInstances, GetConsoleOutput, DescribeImages
Mutable Elements
Field Description
IAMRoleContext Limit detection to non-standard identities performing these calls.
APIFrequency Identify enumeration sweeps by volume.

Network Devices

AN1457

Execution of show version, show hardware, or show system commands through CLI via SSH or console.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog Privilege-level command execution
Mutable Elements
Field Description
Username Highlight unexpected users issuing diagnostic commands.
CommandList Tailor to vendor-specific command syntax.