EXPLORE
Sign In
← Back to Explore
T1518

Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Such software may be deployed widely across the environment for configuration management or security reaso...

ESXiIaaSLinuxmacOSWindows
15
Detections
2
Sources
11
Threat Actors

BY SOURCE

11elastic4sigma

PROCEDURES (10)

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Service1 detections

Auto-extracted: 1 detections for service

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Service1 detections

Auto-extracted: 1 detections for service

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Service1 detections

Auto-extracted: 1 detections for service

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

THREAT ACTORS (11)

BRONZE BUTLERHEXANEInceptionMuddyWaterMustang PandaSideCopySidewinderTropic TrooperVolt TyphoonWindigoWindshift

DETECTIONS (15)

AWS SSM Inventory Reconnaissance by Rare User
elasticmedium
Detected Windows Software Discovery
sigmamedium
Detected Windows Software Discovery - PowerShell
sigmamedium
Enumeration Command Spawned via WMIPrvSE
elasticlow
ESXI Discovery via Find
elasticmedium
ESXI Discovery via Grep
elasticmedium
HackTool - WinPwn Execution
sigmahigh
HackTool - WinPwn Execution - ScriptBlock
sigmahigh
Pluggable Authentication Module (PAM) Version Discovery
elasticlow
Polkit Version Discovery
elasticlow
Security Software Discovery via Grep
elasticmedium
Suspicious which Enumeration
elasticlow
Tool Enumeration Detected via Defend for Containers
elasticlow
Unusual Kernel Module Enumeration
elasticlow
Yum/DNF Plugin Status Discovery
elasticlow