security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml
T
frack113 cd4121d966 Update Title (#3731) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2022-11-27 19:19:27 +01:00

36 lines
1.1 KiB
YAML
Raw Blame History

title: System and Hardware Information Discovery
id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
related:
- id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
type: derived
status: stable
description: Detects system information discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware
author: Ömer Günal, oscd.community
date: 2020/10/08
modified: 2022/11/26
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/sys/class/dmi/id/bios_version'
- '/sys/class/dmi/id/product_name'
- '/sys/class/dmi/id/chassis_vendor'
- '/proc/scsi/scsi'
- '/proc/ide/hd0/model'
- '/proc/version'
- '/etc/*version'
- '/etc/*release'
- '/etc/issue'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
Reference in New Issue View Git Blame Copy Permalink