Technique on mitre.org

T1518: Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Such software may be deployed widely across the environment for configuration management or security reasons, such as Software Deployment Tools, and may allow adversaries broad access to infect devices or move laterally.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

sap_attack_detection: PT-CR-154: SAPASABAP_Gathering_Info: System information is collected postgresql_database: PT-CR-1829: PostgreSQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the PostgreSQL database, which may indicate attacker activity mssql_database: PT-CR-424: MSSQL_Version_Detect: An attempt to get database version information unix_mitre_attck_discovery: PT-CR-1679: Unix_Software_Discovery: Reconnaissance for software installed on a Unix host unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. oracle_database: PT-CR-284: Oracle_Listener_Version_Check: Execution of the VERSION command in Oracle Listener mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-331: Software_Discovery: An attempt to retrieve a list of applications is detected

Subtechniques

T1518.001 Security Software Discovery

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

ID	DS0018	Data source and component	Firewall: Firewall Metadata	Description	Monitor for contextual data about a firewall and activity around it such as name, policy, or status

ID	DS0018	Data source and component	Firewall: Firewall Enumeration	Description	Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
DS0009	Process: OS API Execution	Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
DS0009	Process: Process Creation	Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
DS0018	Firewall: Firewall Metadata	Monitor for contextual data about a firewall and activity around it such as name, policy, or status
DS0018	Firewall: Firewall Enumeration	Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)