System Information Discovery (T1082) is a MITRE ATT&CK technique in the Discovery tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully invests in a compromise. This information helps attackers understand the target environment, identify applicable exploits for the installed OS version, determine whether specific security configurations are present, and understand the hardware capabilities available for attack tools. System information is typically gathered through commands like systeminfo.exe on Windows, uname and lscpu on Linux, and registry queries for detailed OS configuration. Post-exploitation frameworks include automated system information gathering modules that collect this data systematically as part of the initial reconnaissance phase following successful compromise.
“System Information Discovery is documented as technique T1082 in the MITRE ATT&CK knowledge base under the Discovery tactic. Detection requires visibility into XDR, SIEM telemetry.”
Detection Strategies
The following detection strategies help SOC analysts identify System Information Discovery activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
1
Monitor execution of systeminfo.exe, ver, and winver commands in isolation or as part of broader discovery command sequences, particularly from accounts that do not have legitimate administrative reasons to query system configuration.
2
Alert on registry queries targeting version and configuration information from SOFTWARE\Microsoft\Windows NT\CurrentVersion and SYSTEM\CurrentControlSet\Control\Session Manager\Environment from unusual processes.
3
Detect WMI queries for Win32_OperatingSystem, Win32_ComputerSystem, and Win32_BIOS classes from non-administrative processes and from remote WMI connections originating from workstations.
4
Monitor for automated system information collection that writes output to files in staging directories, as attackers frequently redirect discovery command output to text files that are later exfiltrated or analyzed to plan further attack stages.
5
Track execution of commands collecting patch and hotfix information including wmic qfe list and Get-HotFix, which attackers use to identify unpatched vulnerabilities that can be exploited for privilege escalation.
Example Alerts
These realistic alert examples show what System Information Discovery looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
MediumSIEM
Systeminfo Collection Across Multiple Systems
WMI-based remote execution detected collecting systeminfo output from 23 systems sequentially using a single compromised domain account. The collected information includes OS versions, installed patches, hardware specifications, and domain membership. Systematic collection of this data across multiple systems simultaneously is characteristic of post-exploitation framework reconnaissance modules preparing a target profile for subsequent exploitation and lateral movement.
MediumXDR
Patch Level Enumeration for Exploit Selection
Wmic qfe list command executed to enumerate all installed Windows patches and hotfixes on server APP-PROD-11. The output was written to a temporary file and accessed by a subsequent process that cross-referenced the results against a local exploit database file to identify applicable local privilege escalation vulnerabilities. This deliberate patch enumeration followed by exploit selection is a technique used by sophisticated attackers to find the appropriate escalation path.
LowXDR
System Architecture Discovery Before Payload Deployment
Registry query detected reading HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment for the PROCESSOR_ARCHITECTURE value to determine 32-bit versus 64-bit system architecture. This query occurred 30 seconds before a payload download was initiated and the downloaded file was specifically the 64-bit variant of a remote access tool, indicating the attacker used architecture detection to select the appropriate payload version for deployment.
Practice Detecting System Information Discovery
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including System Information Discovery. Build detection skills with zero consequences — free forever.
How do SOC analysts detect System Information Discovery?
SOC analysts detect System Information Discovery (T1082) by monitoring XDR, SIEM telemetry for behavioral anomalies and specific indicators. Key detection methods include monitor execution of systeminfo.exe, ver, and winver commands in isolation or as part of broader discovery command sequences, particularly from accoun. SOCSimulator provides hands-on practice detecting this technique with realistic alerts.
What security tools are used to detect System Information Discovery?
System Information Discovery can be detected using XDR, SIEM platforms. XDR tools are particularly effective for this technique because they provide visibility into the discovery phase of the attack chain. SOCSimulator simulates all three tool types for hands-on training.
How common is System Information Discovery in real-world attacks?
System Information Discovery is a well-documented MITRE ATT&CK technique in the Discovery tactic. It appears in threat intelligence reports from multiple security vendors and has been observed in campaigns by various threat actor groups. SOCSimulator includes realistic System Information Discovery scenarios based on documented attack patterns, helping analysts build detection intuition.
Can I practice detecting System Information Discovery for free?
Yes. SOCSimulator offers free forever access to training scenarios, including Discovery techniques like System Information Discovery. You can investigate realistic alerts in guided Operations rooms, build detection skills with SIEM, XDR, and Firewall interfaces, and test yourself under pressure in Shift Mode. No credit card required.