# T1518 Software Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

  * Azure AD

  * Office 365

  * SaaS

  * IaaS

  * Linux

  * macOS

  * Google Workspace

### Adversary Required Permissions:

  * User

  * Administrator

### Data Sources:

  * **Command:** Command Execution

  * **Firewall:** Firewall Enumeration

  * **Firewall:** Firewall Metadata

  * **Process:** Process Creation

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has searched the victim system for the <code>InstallUtil.exe</code> program and its version.(Citation: Anomali MUSTANG PANDA October 2019)| 
| Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a script to detect installed software on targeted systems.(Citation: ESET ForSSHe December 2018)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to enumerate software installed on an infected host.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has collected a list of installed software on the infected system.(Citation: FoxIT Wocao December 2019)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used malware to identify installed software.(Citation: BlackBerry Bahamut)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has enumerated installed software on compromised systems.(Citation: Symantec Inception Framework March 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081)'s backdoor could list the infected system's installed software.(Citation: TrendMicro Tropic Trooper May 2020)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used a PowerShell backdoor to check for Skype connectivity on the target machine.(Citation: Trend Micro Muddy Water March 2021)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used tools to enumerate software installed on an infected host.(Citation: Trend Micro Tick November 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1518)

  * [Capec](https://capec.mitre.org/data/definitions/580.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will query group permission settings to determine accounts and groups on the device or domain.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla |  | |
| APT 28 | | |
| APT 29 | | |

## Detection Blindspots

- Information Here

## Analytical References

  * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
* https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
* https://securelist.com/the-epic-turla-operation/65545/
* https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
* https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

#### Analytic 1

  * **Information:** 'Look for a reg query for something such as:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*
HKLM\Software\Microsoft\Internet Explorer'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.name : "reg.exe" and process.command_line : *Software*```

#### Analytic 2

  * **Information:** 'identify the command line parameters of these commands.'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.name : netsh.exe or tasklist.exe AND process.command_line : *```

#### Analytic 3

  * **Information:** 'The Fltmc.exe program is a system-supplied command line utility for common minifilter driver management operations. 

Discovery of an installed Sysinternals Sysmon service using driver altitude:

 fltmc.exe | findstr.exe 385201 

May be highly unlikely to see this, but a useful command/feature '

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.name : fltmc.exe (Sourrounded by) process.command_line : findstr.exe 385201```

#### Analytic 4

  * **Information:** 'wmic alias for finding AV'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.name : wmic.exe AND process.command_line *AntiVirusProduct*```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

