rule:
meta:
name: check OS version
namespace: host-interaction/os/version
authors:
- michael.hunhoff@mandiant.com
- johnk3r
scopes:
static: function
dynamic: unsupported # requires mnemonic features
att&ck:
- Discovery::System Information Discovery [T1082]
mbc:
- Discovery::System Information Discovery [E1082]
examples:
- 493167E85E45363D09495D0841C30648:0x401000
features:
- and:
- match: get OS version
- or:
- and:
- instruction:
- mnemonic: cmp
- number: 5 = Windows 2000
- optional:
- instruction:
- mnemonic: cmp
- or:
- number: 0
- number: 1 = Windows XP
- number: 2 = Windows XP 64-bit / Windows Server 2003 / Windows Server 2003 R2
- and:
- instruction:
- mnemonic: cmp
- number: 6 = Windows Vista / Windows Server 2008
- optional:
- instruction:
- mnemonic: cmp
- or:
- number: 0
- number: 1 = Windows Server 2008 R2 / Windows 7
- number: 2 = Windows Server 2012 / Windows 8
- number: 3 = Windows Server 2012 R2 / Windows 8.1
- and:
- instruction:
- mnemonic: cmp
- number: 10 = Windows Server 2016 / Windows Server 2019 / Windows 10
- optional:
- instruction:
- mnemonic: cmp
- number: 0
last edited: 2023-11-24 10:34:28