Detected Windows Software Discovery - PowerShell
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Sigma rule (View on GitHub)
1title: Detected Windows Software Discovery - PowerShell
2id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
3status: test
4description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
7 - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
8author: Nikita Nazarov, oscd.community
9date: 2020-10-16
10modified: 2022-12-02
11tags:
12 - attack.discovery
13 - attack.t1518
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
22 - 'get-itemProperty'
23 - '\software\'
24 - 'select-object'
25 - 'format-table'
26 condition: selection
27falsepositives:
28 - Legitimate administration activities
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources - harleyQu1nn/AggressorScripts
Read More
Related rules
- Detected Windows Software Discovery
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock