« Windows Subsystem for Linux Enabled via Dism Utility Windows System Network Connections Discovery »
Elastic Docs Elastic Security Solution [8.18] Detections and alerts Prebuilt rule reference

Windows System Information Discovery

edit
A newer version is available. Check out the latest documentation.

Windows System Information Discovery

edit

Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.

Rule type: eql

Rule indices:

  • endgame-*
  • logs-endpoint.events.process-*
  • logs-system.security*
  • logs-windows.*
  • winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Discovery
  • Rule Type: BBR
  • Data Source: Elastic Defend
  • Data Source: Elastic Endgame
  • Data Source: Windows Security Event Logs

Version: 111

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "windows" and event.type == "start" and
(
  (
    process.name : "cmd.exe" and process.args : "ver*" and not
    process.parent.executable : (
        "?:\\Users\\*\\AppData\\Local\\Keybase\\upd.exe",
        "?:\\Users\\*\\python*.exe"
    )
  ) or
  process.name : ("systeminfo.exe", "hostname.exe") or
  (process.name : "wmic.exe" and process.args : "os" and process.args : "get")
) and not
process.parent.executable : (
    "?:\\Program Files\\*",
    "?:\\Program Files (x86)\\*",
    "?:\\ProgramData\\*"
) and not user.id : "S-1-5-18"

Framework: MITRE ATT&CKTM

« Windows Subsystem for Linux Enabled via Dism Utility Windows System Network Connections Discovery »