EXPLORE
Sign In
← Back to Explore
T1518

Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Such software may be deployed widely across the environment for configuration management or security reaso...

ESXiIaaSLinuxmacOSWindows
17
Detections
4
Sources
11
Threat Actors

BY SOURCE

11elastic4sigma1kql1splunk_escu

PROCEDURES (12)

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Service1 detections

Auto-extracted: 1 detections for service

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Service1 detections

Auto-extracted: 1 detections for service

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

THREAT ACTORS (11)

BRONZE BUTLERHEXANEInceptionMuddyWaterMustang PandaSideCopySidewinderTropic TrooperVolt TyphoonWindigoWindshift

DETECTIONS (17)

AWS SSM Inventory Reconnaissance by Rare User
elasticmedium
Detected Windows Software Discovery
sigmamedium
Detected Windows Software Discovery - PowerShell
sigmamedium
Enumeration Command Spawned via WMIPrvSE
elasticlow
ESXI Discovery via Find
elasticmedium
ESXI Discovery via Grep
elasticmedium
HackTool - WinPwn Execution
sigmahigh
HackTool - WinPwn Execution - ScriptBlock
sigmahigh
List Defender Discovery Activities
kql
Pluggable Authentication Module (PAM) Version Discovery
elasticlow
Polkit Version Discovery
elasticlow
Security Software Discovery via Grep
elasticmedium
Suspicious which Enumeration
elasticlow
Tool Enumeration Detected via Defend for Containers
elasticlow
Unusual Kernel Module Enumeration
elasticlow
Windows Software Discovery Via PowerShell
splunk_escu
Yum/DNF Plugin Status Discovery
elasticlow