Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0525: System Discovery via Native and Remote Utilities

DET0525 is a detection strategy for spotting system discovery activity performed through native or remote utilities. Its value is that basic system informa...

EnterpriseDET0525Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0525 is a detection strategy for spotting system discovery activity performed through native or remote utilities. Its value is that basic system information discovery often helps an intruder decide what to do next, such as tailoring follow-on actions to operating system, hardware, patch, or architecture details. For leaders, this is a practical early-warning behavior: it may not be damaging by itself, but it can indicate reconnaissance inside environments where operational continuity, cloud workloads, or critical infrastructure dependencies rely on knowing whether discovery activity is expected and authorized.

Executive priority

Prioritize this as a coverage validation item for discovery-phase monitoring, especially where ESXi, IaaS, Linux, or macOS assets are in scope based on the related ATT&CK technique T1082. Executives should ask whether SOC and IR teams can distinguish routine administration from suspicious system enumeration, whether cloud and virtualization telemetry is retained, and whether this evidence can support incident scoping and audit/compliance narratives after an intrusion.

Technical view

This detection strategy maps to T1082 System Information Discovery under the Discovery tactic. Because the ATT&CK object does not provide official detection logic or platforms, defenders should validate coverage against the related technique context: attempts to collect operating system, hardware, version, patch, hotfix, service pack, or architecture information. SOC teams should review visibility for native and remote utility execution, administrative remote sessions, cloud or IaaS control-plane activity where applicable, and host-level process or command telemetry on supported environments such as ESXi, Linux, and macOS where those assets exist.

Likely telemetry

  • Process execution and command-line telemetry from relevant hosts
  • Remote administration or remote session logs
  • Authentication and session context for administrative access
  • Cloud/IaaS audit logs where system inventory or instance metadata access is observable
  • Virtualization or ESXi management logs where available

Detection direction

  • Validate that collection exists before writing analytics; this object has no official ATT&CK detection text, so local telemetry determines feasibility.
  • Tune detections around unusual system information queries by account, host, timing, source, or remote access path rather than treating all administrative discovery as malicious.
  • Correlate discovery activity with preceding authentication, remote utility use, privilege context, and subsequent follow-on behavior to reduce false positives.
  • Establish baselines for legitimate IT operations, vulnerability management, inventory tooling, and cloud administration that commonly collect similar information.
  • Pay attention to blind spots in non-Windows environments, virtualization layers, and IaaS telemetry, since the related technique includes ESXi, IaaS, Linux, and macOS.

Mitigation priorities

  • Ensure authoritative asset inventory and configuration visibility so discovery events can be interpreted against expected administration patterns.
  • Limit and monitor administrative and remote access paths used to collect system details.
  • Apply least-privilege access for accounts that can query system, cloud, or virtualization configuration details.
  • Retain host, remote access, cloud/IaaS, and virtualization logs long enough to support incident reconstruction.
  • Document accepted administrative discovery tools and workflows so SOC teams can identify deviations and provide defensible compliance evidence.
Analyst notes and limits

The strongest use of DET0525 is as a coverage and readiness prompt: can the organization observe system discovery, determine whether it was expected, and connect it to an identity, host, cloud workload, or management plane? This is especially useful for managed detection, incident response scoping, identity/access review, cloud security monitoring, and vulnerability-management context because system discovery can reveal what an adversary learned before choosing next actions.

The supplied ATT&CK detection strategy has no official description, detection text, tactics, or platforms. Platform and tactic context comes only from the relationship to T1082 System Information Discovery. Local environment data is required to determine actual telemetry availability, expected administrative behavior, false-positive rates, and detection coverage.

Official MITRE ATT&CK definition

System Discovery via Native and Remote Utilities

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1082 System Information Discovery This object detects System Information Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1082: System Information Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
18a52b8acf0acc0d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 18a52b8acf0a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0525
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use