Detected Windows Software Discovery - PowerShell

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Sigma rule (View on GitHub)

 1title: Detected Windows Software Discovery - PowerShell
 2id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
 3status: test
 4description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
 7    - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
 8author: Nikita Nazarov, oscd.community
 9date: 2020/10/16
10modified: 2022/12/02
11tags:
12    - attack.discovery
13    - attack.t1518
14logsource:
15    product: windows
16    category: ps_script
17    definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19    selection:
20        ScriptBlockText|contains|all:
21            # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
22            - 'get-itemProperty'
23            - '\software\'
24            - 'select-object'
25            - 'format-table'
26    condition: selection
27falsepositives:
28    - Legitimate administration activities
29level: medium

References

Related rules

to-top