1. Home
  2. Detection Strategies
  3. System Discovery via Native and Remote Utilities

System Discovery via Native and Remote Utilities

Technique Detected:  System Information Discovery | T1082

ID: DET0525
Domains: Enterprise
Analytics: AN1452, AN1453, AN1454, AN1455, AN1456, AN1457
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1452

Detection of processes executing system environment inspection operations followed by access to OS configuration APIs or registry locations that expose OS version, architecture, patch level, or hardware characteristics. Defenders observe process execution retrieving system configuration metadata immediately after process startup.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
WinEventLog:Sysmon EventCode=1
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
TimeWindow Detect multiple discovery commands executed in short succession.
UserContext Scope alerts to unusual user accounts or service accounts.

AN1453

Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
CommandList Customize list of commands of interest (e.g., uname, lscpu, etc.)
TerminalSessionID Correlate sessions for behavior context.

AN1454

Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log show --predicate 'process == '
Mutable Elements
Field Description
ParentProcess Determine if script or terminal executed the command.
FrequencyThreshold Number of discovery commands in a short window.

AN1455

Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:vmkernel /var/log/vmkernel.log
Mutable Elements
Field Description
SessionOrigin Track SSH or console-based entry points.
CommandString Customize detection for expected CLI queries.

AN1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

Log Sources
Data Component Name Channel
Instance Enumeration (DC0075) AWS:CloudTrail DescribeInstances, GetConsoleOutput, DescribeImages
Mutable Elements
Field Description
IAMRoleContext Limit detection to non-standard identities performing these calls.
APIFrequency Identify enumeration sweeps by volume.

AN1457

Execution of show version, show hardware, or show system commands through CLI via SSH or console.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog Privilege-level command execution
Mutable Elements
Field Description
Username Highlight unexpected users issuing diagnostic commands.
CommandList Tailor to vendor-specific command syntax.