EXPLORE DETECTIONS
System Information Discovery Using sw_vers
Detects the use of "sw_vers" for system information discovery
System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions.
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
System Language Discovery via Reg.Exe
Detects the usage of Reg.Exe to query system language settings. Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions, or avoid targeting certain locales to evade detection.
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
System Network Connections Discovery - MacOs
Detects usage of system utilities to discover system network connections
System Network Connections Discovery Via Net.EXE
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
System Network Discovery - Linux
Detects enumeration of local network configuration
System Network Discovery - macOS
Detects enumeration of local network configuration
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
System Restore Registry Modification via CommandLine
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
System Scripts Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
System Shutdown/Reboot - Linux
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
System Shutdown/Reboot - MacOs
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
T1047 Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
TacticalRMM Service Installation
Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet