Merge PR #5444 from @CheraghiMilad - Discovery System Info via Sysinfo Syscall

new: System Info Discovery via Sysinfo Syscall --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2025-06-05 15:14:39 +03:30
parent 3eb0198939
commit ff60fa5f91
1 changed files with 32 additions and 0 deletions
@@ -0,0 +1,32 @@
+title: System Info Discovery via Sysinfo Syscall
+id: b207d563-a1d9-4275-b349-77d1eb55aa6d
+status: experimental
+description: |
+    Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
+    Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
+references:
+    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
+    - https://man7.org/linux/man-pages/man2/sysinfo.2.html
+author: Milad Cheraghi
+date: 2025-05-30
+tags:
+    - attack.discovery
+    - attack.t1057
+    - attack.t1082
+logsource:
+    product: linux
+    service: auditd
+    definition: |
+        Required auditd configuration:
+        -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
+        -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
+detection:
+    selection:
+        type: 'SYSCALL'
+        syscall: 'sysinfo'
+    filter_optional_splunk:
+        exe|endswith: '/bin/splunkd'
+    condition: selection and not 1 of filter_optional_*
+falsepositives:
+    - Legitimate administrative activity
+level: low