Detected Windows Software Discovery
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Sigma rule (View on GitHub)
1title: Detected Windows Software Discovery
2id: e13f668e-7f95-443d-98d2-1816a7648a7b
3related:
4 - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
5 type: derived
6status: test
7description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
10 - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
11author: Nikita Nazarov, oscd.community
12date: 2020-10-16
13modified: 2022-10-09
14tags:
15 - attack.discovery
16 - attack.t1518
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
23 CommandLine|contains|all:
24 - 'query'
25 - '\software\'
26 - '/v'
27 - 'svcversion'
28 condition: selection
29falsepositives:
30 - Legitimate administration activities
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources - harleyQu1nn/AggressorScripts
Read More
Related rules
- Detected Windows Software Discovery - PowerShell
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock