T1518

Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.

Microsoft Sentinel / Defender

kusto

let SoftwareDiscoveryPatterns = dynamic([
  // Registry-based enumeration
  "\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
  "\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
  // WMI-based enumeration
  "Win32_Product",
  "Win32_InstalledWin32Program",
  "Win32_InstalledProgramFramework",
  // PowerShell cmdlets
  "Get-Package",
  "Get-WmiObject",
  "Get-CimInstance",
  // WMIC commands
  "product get",
  "product list"
]);
let SuspiciousParents = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
  "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"
]);
// Branch 1: Registry queries targeting software inventory keys
let RegistryBranch = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "CurrentVersion\\Uninstall"
| where ActionType in ("RegistryKeyValueQueried", "RegistryQueryKey")
| extend DetectionSource = "Registry"
| project Timestamp, DeviceName, AccountName, ActionType,
          RegistryKey, RegistryValueName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionSource;
// Branch 2: Process-based software discovery (wmic, reg, PowerShell)
let ProcessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // wmic product enumeration
    (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("product get", "product list", "product where", "Win32_Product"))
    // reg query against uninstall keys
    or (FileName =~ "reg.exe" and ProcessCommandLine has "Uninstall")
    // PowerShell software discovery cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (
        "Get-Package", "Win32_Product", "Win32_InstalledWin32Program",
        "Get-WmiObject", "Get-CimInstance", "CurrentVersion\\Uninstall",
        "InstalledProgramFramework"
    ))
    // rpm/dpkg/brew via bash (cross-platform endpoints)
    or (FileName in~ ("bash", "sh", "zsh") and ProcessCommandLine has_any (
        "dpkg -l", "dpkg --list", "rpm -qa", "rpm -q",
        "snap list", "flatpak list", "brew list",
        "apt list", "yum list installed", "dnf list installed"
    ))
)
| extend DetectionSource = "Process"
// Flag suspicious parent processes indicating post-exploitation context
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
// Exclude obvious system management processes
| where not (
    InitiatingProcessFileName in~ ("msiexec.exe", "trustedinstaller.exe", "svchost.exe")
    and AccountName in~ ("SYSTEM", "NT AUTHORITY\\SYSTEM")
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, SuspiciousParent, DetectionSource;
// Union and enrich
RegistryBranch
| union ProcessBranch
| extend RiskScore = case(
    DetectionSource == "Registry" and InitiatingProcessFileName in~ (SuspiciousParents), 3,
    DetectionSource == "Process" and SuspiciousParent == true, 3,
    DetectionSource == "Process" and FileName =~ "wmic.exe", 2,
    1
)
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Access Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Software inventory agents (SCCM, Tanium, Qualys, Tenable, ServiceNow Discovery) that regularly enumerate installed software for asset management and vulnerability scanning
System administrators running wmic product get or reg query manually during troubleshooting or software audits
PowerShell Desired State Configuration (DSC) and automation scripts (Ansible, Chef, Puppet) querying installed packages during compliance checks
Software installers and uninstallers that read Uninstall registry keys to check for existing versions before installation
Endpoint Detection & Response (EDR) agents that perform software inventory as part of their telemetry collection

Splunk

spl

(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (Image="*\\wmic.exe" (CommandLine="*product get*" OR CommandLine="*product list*" OR CommandLine="*Win32_Product*"))
    OR (Image="*\\reg.exe" CommandLine="*Uninstall*")
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") (CommandLine="*Get-Package*" OR CommandLine="*Win32_Product*" OR CommandLine="*Win32_InstalledWin32Program*" OR CommandLine="*Get-WmiObject*" OR CommandLine="*Get-CimInstance*" OR CommandLine="*CurrentVersion\\Uninstall*"))
    OR ((Image="*\\bash" OR Image="*\\sh" OR Image="*\\zsh") (CommandLine="*dpkg -l*" OR CommandLine="*rpm -qa*" OR CommandLine="*snap list*" OR CommandLine="*brew list*" OR CommandLine="*apt list*" OR CommandLine="*yum list installed*"))
  )
)
OR
(
  index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  (
    (NewProcessName="*\\wmic.exe" (CommandLine="*product get*" OR CommandLine="*Win32_Product*"))
    OR (NewProcessName="*\\reg.exe" CommandLine="*Uninstall*")
    OR ((NewProcessName="*\\powershell.exe" OR NewProcessName="*\\pwsh.exe") (CommandLine="*Get-Package*" OR CommandLine="*Win32_Product*"))
  )
)
| eval ProcessImage=coalesce(Image, NewProcessName)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval CmdLine=coalesce(CommandLine, CommandLine)
| eval DiscoveryType=case(
    match(lower(CmdLine), "win32_product|product get|product list"), "WMI_Software_Enum",
    match(lower(CmdLine), "currentversion\\uninstall"), "Registry_Uninstall_Query",
    match(lower(CmdLine), "get-package"), "PS_GetPackage",
    match(lower(CmdLine), "dpkg|rpm -q|snap list|brew list|apt list|yum list"), "PackageManager_Enum",
    true(), "Generic_Software_Discovery"
  )
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)"), 1, 0)
| eval RiskScore=case(
    SuspiciousParent=1 AND DiscoveryType="WMI_Software_Enum", 3,
    SuspiciousParent=1, 2,
    DiscoveryType="WMI_Software_Enum", 2,
    true(), 1
  )
| where NOT (match(lower(ParentImage), "(msiexec\.exe|trustedinstaller\.exe|ccmexec\.exe|smss\.exe)") AND match(lower(User), "(system|nt authority)"))
| table _time, host, User, ProcessImage, CmdLine, ParentImage, ParentCommandLine, DiscoveryType, SuspiciousParent, RiskScore
| sort - _time

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software inventory and vulnerability scanning agents (SCCM, Tanium, Qualys, Rapid7) running on schedule as SYSTEM
IT administrators running manual software audits using wmic or PowerShell Get-Package
Configuration management platforms (Ansible, Puppet, Chef) querying installed packages during playbook runs
Software packaging and deployment tools reading Uninstall registry keys during installation workflows
Patch management solutions enumerating installed software to determine applicable patches

Elastic Security (EQL)

eql

sequence by host.name, process.entity_id with maxspan=5s
[
  any where event.category == "process" and event.type == "start" and
  (
    (
      process.name : "wmic.exe" and
      process.command_line : ("*product get*", "*product list*", "*Win32_Product*", "*product where*")
    ) or
    (
      process.name : "reg.exe" and
      process.command_line : "*Uninstall*"
    ) or
    (
      process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : (
        "*Get-Package*", "*Win32_Product*", "*Win32_InstalledWin32Program*",
        "*Get-WmiObject*", "*Get-CimInstance*", "*CurrentVersion\\Uninstall*",
        "*InstalledProgramFramework*"
      )
    ) or
    (
      process.name : ("bash", "sh", "zsh") and
      process.command_line : (
        "*dpkg -l*", "*dpkg --list*", "*rpm -qa*", "*rpm -q *",
        "*snap list*", "*flatpak list*", "*brew list*",
        "*apt list*", "*yum list installed*", "*dnf list installed*"
      )
    )
  ) and
  not (
    process.parent.name : ("msiexec.exe", "trustedinstaller.exe", "svchost.exe") and
    user.name : ("SYSTEM", "NT AUTHORITY\\SYSTEM")
  )
]
| eval risk_score = case(
    process.parent.name : ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"), 3,
    process.name : "wmic.exe", 2,
    true, 1
  )
| sort @timestamp desc

medium severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs (Sysmon via Elastic Agent) Auditbeat (Linux/macOS)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* logs-system.security-*

False Positives

IT asset management tools (SCCM, Ivanti, Tanium) routinely query installed software via WMI or registry for inventory purposes — these will trigger on legitimate scan cycles
Software deployment and patch management systems (Windows Update, third-party patching tools) may invoke wmic.exe or reg.exe against Uninstall keys during pre-flight compatibility checks
Developers and system administrators running PowerShell Get-Package or Get-CimInstance commands during troubleshooting or environment auditing, especially in DevOps pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "ProcessName",
  "CommandLine",
  "ParentProcessName",
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN "CommandLine" ILIKE '%Win32_Product%' OR "CommandLine" ILIKE '%product get%' OR "CommandLine" ILIKE '%product list%' THEN 'WMI_Software_Enum'
    WHEN "CommandLine" ILIKE '%CurrentVersion\Uninstall%' OR "CommandLine" ILIKE '%Uninstall%' AND "ProcessName" ILIKE '%reg.exe%' THEN 'Registry_Uninstall_Query'
    WHEN "CommandLine" ILIKE '%Get-Package%' OR "CommandLine" ILIKE '%Win32_InstalledWin32Program%' OR "CommandLine" ILIKE '%InstalledProgramFramework%' THEN 'PS_GetPackage'
    WHEN "CommandLine" ILIKE '%dpkg%' OR "CommandLine" ILIKE '%rpm -q%' OR "CommandLine" ILIKE '%snap list%' OR "CommandLine" ILIKE '%brew list%' OR "CommandLine" ILIKE '%yum list%' OR "CommandLine" ILIKE '%apt list%' OR "CommandLine" ILIKE '%dnf list%' THEN 'PackageManager_Enum'
    ELSE 'Generic_Software_Discovery'
  END AS DiscoveryType,
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%powershell.exe%' OR LOWER("ParentProcessName") LIKE '%pwsh.exe%'
      OR LOWER("ParentProcessName") LIKE '%wscript.exe%' OR LOWER("ParentProcessName") LIKE '%cscript.exe%'
      OR LOWER("ParentProcessName") LIKE '%mshta.exe%' OR LOWER("ParentProcessName") LIKE '%rundll32.exe%'
      OR LOWER("ParentProcessName") LIKE '%regsvr32.exe%' THEN 3
    WHEN LOWER("ProcessName") LIKE '%wmic.exe%' THEN 2
    ELSE 1
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'LinuxAuthLog', 'Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    -- wmic product enumeration
    (LOWER("ProcessName") LIKE '%wmic.exe%' AND (
      LOWER("CommandLine") LIKE '%product get%' OR
      LOWER("CommandLine") LIKE '%product list%' OR
      LOWER("CommandLine") LIKE '%product where%' OR
      LOWER("CommandLine") LIKE '%win32_product%'
    ))
    -- reg query uninstall
    OR (LOWER("ProcessName") LIKE '%reg.exe%' AND LOWER("CommandLine") LIKE '%uninstall%')
    -- PowerShell software discovery
    OR ((LOWER("ProcessName") LIKE '%powershell.exe%' OR LOWER("ProcessName") LIKE '%pwsh.exe%') AND (
      LOWER("CommandLine") LIKE '%get-package%' OR
      LOWER("CommandLine") LIKE '%win32_product%' OR
      LOWER("CommandLine") LIKE '%win32_installedwin32program%' OR
      LOWER("CommandLine") LIKE '%get-wmiobject%' OR
      LOWER("CommandLine") LIKE '%get-ciminstance%' OR
      LOWER("CommandLine") LIKE '%currentversion\uninstall%' OR
      LOWER("CommandLine") LIKE '%installedprogramframework%'
    ))
    -- Linux/macOS package manager enumeration
    OR ((LOWER("ProcessName") LIKE '%bash%' OR LOWER("ProcessName") LIKE '%/sh%' OR LOWER("ProcessName") LIKE '%zsh%') AND (
      LOWER("CommandLine") LIKE '%dpkg -l%' OR
      LOWER("CommandLine") LIKE '%dpkg --list%' OR
      LOWER("CommandLine") LIKE '%rpm -qa%' OR
      LOWER("CommandLine") LIKE '%snap list%' OR
      LOWER("CommandLine") LIKE '%brew list%' OR
      LOWER("CommandLine") LIKE '%apt list%' OR
      LOWER("CommandLine") LIKE '%yum list installed%' OR
      LOWER("CommandLine") LIKE '%dnf list installed%'
    ))
  )
  AND NOT (
    (LOWER("ParentProcessName") LIKE '%msiexec.exe%' OR LOWER("ParentProcessName") LIKE '%trustedinstaller.exe%' OR LOWER("ParentProcessName") LIKE '%ccmexec.exe%')
    AND (LOWER(username) LIKE '%system%' OR LOWER(username) LIKE '%nt authority%')
  )
ORDER BY starttime DESC

medium severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon Operational Log (via QRadar DSM) LinuxAuthLog / Auditd

Required Tables

events

False Positives

Endpoint management platforms (SCCM, BigFix, ManageEngine) perform scheduled WMI-based software inventory that will match WMI enumeration patterns during discovery cycles
Security compliance scanning tools (Nessus, Qualys, Rapid7) execute reg.exe and wmic.exe queries against Uninstall keys during credentialed vulnerability assessments
Linux build and CI/CD pipelines frequently enumerate installed packages via dpkg or rpm during dependency resolution and environment validation stages

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="linux/syslog")
| json auto
// Normalize process fields across Sysmon and Windows Security
| if (!isNull(Image), Image, NewProcessName) as ProcessImage
| if (!isNull(ParentImage), ParentImage, ParentProcessName) as ParentProcessImage
| if (!isNull(CommandLine), CommandLine, CommandLine) as CommandLine
| if (!isNull(User), User, SubjectUserName) as Username
| if (!isNull(Computer), Computer, host) as Hostname
// Filter to relevant events: Sysmon EID 1 or Windows Security EID 4688
| where (EventID = "1" AND _sourceCategory matches "*sysmon*")
  OR (EventID = "4688" AND _sourceCategory matches "*security*")
  OR _sourceCategory matches "*linux*syslog*"
// Core detection logic
| where (
    // wmic product enumeration
    (matches(lower(ProcessImage), ".*wmic\.exe$") AND (
      contains(lower(CommandLine), "product get") OR
      contains(lower(CommandLine), "product list") OR
      contains(lower(CommandLine), "product where") OR
      contains(lower(CommandLine), "win32_product")
    ))
    // reg query against uninstall keys
    OR (matches(lower(ProcessImage), ".*reg\.exe$") AND contains(lower(CommandLine), "uninstall"))
    // PowerShell software discovery cmdlets
    OR ((matches(lower(ProcessImage), ".*powershell\.exe$") OR matches(lower(ProcessImage), ".*pwsh\.exe$")) AND (
      contains(lower(CommandLine), "get-package") OR
      contains(lower(CommandLine), "win32_product") OR
      contains(lower(CommandLine), "win32_installedwin32program") OR
      contains(lower(CommandLine), "get-wmiobject") OR
      contains(lower(CommandLine), "get-ciminstance") OR
      contains(lower(CommandLine), "currentversion\\uninstall") OR
      contains(lower(CommandLine), "installedprogramframework")
    ))
    // Linux/macOS package manager enumeration
    OR ((matches(lower(ProcessImage), ".*(bash|/sh|zsh)$")) AND (
      contains(lower(CommandLine), "dpkg -l") OR
      contains(lower(CommandLine), "dpkg --list") OR
      contains(lower(CommandLine), "rpm -qa") OR
      contains(lower(CommandLine), "snap list") OR
      contains(lower(CommandLine), "brew list") OR
      contains(lower(CommandLine), "apt list") OR
      contains(lower(CommandLine), "yum list installed") OR
      contains(lower(CommandLine), "dnf list installed")
    ))
  )
// Exclusions: legitimate system management processes running as SYSTEM
| where NOT (
    (matches(lower(ParentProcessImage), ".*(msiexec\.exe|trustedinstaller\.exe|ccmexec\.exe|svchost\.exe)$"))
    AND (matches(lower(Username), ".*(system|nt authority).*"))
  )
// Discovery type classification
| eval DiscoveryType = if(
    matches(lower(CommandLine), "win32_product|product get|product list"), "WMI_Software_Enum",
    if(contains(lower(CommandLine), "currentversion\\uninstall"), "Registry_Uninstall_Query",
    if(contains(lower(CommandLine), "get-package"), "PS_GetPackage",
    if(matches(lower(CommandLine), "dpkg|rpm -q|snap list|brew list|apt list|yum list|dnf list"), "PackageManager_Enum",
    "Generic_Software_Discovery")))
  )
// Suspicious parent flag
| eval SuspiciousParent = if(
    matches(lower(ParentProcessImage), ".*(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe).*"),
    1, 0
  )
// Risk scoring
| eval RiskScore = if(SuspiciousParent = 1 AND DiscoveryType = "WMI_Software_Enum", 3,
    if(SuspiciousParent = 1, 2,
    if(DiscoveryType = "WMI_Software_Enum", 2, 1)))
| fields _messageTime, Hostname, Username, ProcessImage, CommandLine, ParentProcessImage, DiscoveryType, SuspiciousParent, RiskScore
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log) Sysmon Operational via Sumo Logic Windows Agent Linux syslog via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security _sourceCategory=linux/syslog

False Positives

Microsoft Configuration Manager (SCCM/MECM) hardware and software inventory agents execute WMI queries including Win32_Product on a schedule — high volume false positive during inventory collection windows
PowerShell-based administrative scripts for license auditing, software compliance reporting, or asset management will trigger on Get-WmiObject and Get-CimInstance patterns
Developer workstation environments where brew (macOS) or dpkg/apt (WSL2) package listings are executed during build environment setup or Docker image provisioning

Google Chronicle / SecOps

yaral

rule t1518_software_discovery {
  meta:
    author = "df00tech"
    description = "Detects software discovery activity via WMI, registry, PowerShell, and cross-platform package manager enumeration (MITRE ATT&CK T1518)"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1518"
    severity = "MEDIUM"
    priority = "MEDIUM"
    created = "2026-04-21"
    platforms = "Windows, Linux, macOS"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.process.file.full_path = $parent_path
    $e.target.process.file.full_path = $proc_path
    $e.target.process.command_line = $cmdline

    // Match software discovery patterns across tools
    (
      // wmic.exe product enumeration
      (
        re.regex($proc_path, `(?i).*\\wmic\.exe$`) and
        (
          re.regex($cmdline, `(?i)product\s+(get|list|where)`) or
          strings.contains(strings.to_lower($cmdline), "win32_product")
        )
      ) or
      // reg.exe targeting Uninstall keys
      (
        re.regex($proc_path, `(?i).*\\reg\.exe$`) and
        strings.contains(strings.to_lower($cmdline), "uninstall")
      ) or
      // PowerShell software discovery
      (
        re.regex($proc_path, `(?i).*(powershell|pwsh)\.exe$`) and
        (
          strings.contains(strings.to_lower($cmdline), "get-package") or
          strings.contains(strings.to_lower($cmdline), "win32_product") or
          strings.contains(strings.to_lower($cmdline), "win32_installedwin32program") or
          strings.contains(strings.to_lower($cmdline), "get-wmiobject") or
          strings.contains(strings.to_lower($cmdline), "get-ciminstance") or
          re.regex($cmdline, `(?i)currentversion\\uninstall`) or
          strings.contains(strings.to_lower($cmdline), "installedprogramframework")
        )
      ) or
      // Linux/macOS package manager enumeration via shell
      (
        re.regex($proc_path, `(?i).*(bash|/sh|zsh)$`) and
        (
          strings.contains($cmdline, "dpkg -l") or
          strings.contains($cmdline, "dpkg --list") or
          re.regex($cmdline, `rpm -q[a]?\s`) or
          strings.contains($cmdline, "snap list") or
          strings.contains($cmdline, "brew list") or
          strings.contains($cmdline, "apt list") or
          strings.contains($cmdline, "yum list installed") or
          strings.contains($cmdline, "dnf list installed")
        )
      )
    )

    // Exclude legitimate system management parent processes running as SYSTEM
    not (
      re.regex($parent_path, `(?i).*(msiexec|trustedinstaller|svchost|ccmexec)\.exe$`) and
      re.regex($e.principal.user.userid, `(?i)(system|nt authority|local service)`)
    )

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($parent_path, `(?i).*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe$`) and
        (
          strings.contains(strings.to_lower($cmdline), "win32_product") or
          strings.contains(strings.to_lower($cmdline), "product get")
        ), 3
      ) +
      if(
        re.regex($parent_path, `(?i).*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe$`), 2
      ) +
      if(
        re.regex($proc_path, `(?i).*\\wmic\.exe$`), 1
      )
    )
    $discovery_count = count($e.target.process.pid)
    $target_process = array_distinct($proc_path)
    $parent_process = array_distinct($parent_path)

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Process Events via Chronicle Forwarder Linux/macOS Process Events via Chronicle Forwarder or Bindplane

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Software asset management and ITAM tools (Flexera, Snow Software, ServiceNow Discovery) that rely on WMI or PowerShell to enumerate installed software across managed endpoints will generate high-volume true-positive-like alerts
Automated vulnerability scanning solutions that use WMI or command-line interfaces for credentialed software enumeration as part of patch compliance checks
macOS system administration and MDM enrollment workflows (Jamf, Mosyle) that invoke brew list or system_profiler during device enrollment or health checks

CrowdStrike LogScale (CQL)

cql

// T1518 Software Discovery — CrowdStrike Falcon LogScale (CQL)
// Detects WMI, registry, PowerShell, and package manager software enumeration

#event_simpleName = ProcessRollup2
| FileName = /(?i)(wmic\.exe|reg\.exe|powershell\.exe|pwsh\.exe|bash|sh|zsh)/
| CommandLine = /(?i)(
    product\s+(get|list|where)
    |win32_product
    |win32_installedwin32program
    |installedprogramframework
    |currentversion\\uninstall
    |get-package
    |get-wmiobject
    |get-ciminstance
    |dpkg\s+-[l-]
    |dpkg\s+--list
    |rpm\s+-q[a]?
    |snap\s+list
    |brew\s+list
    |apt\s+list
    |yum\s+list\s+installed
    |dnf\s+list\s+installed
  )/

// Exclude legitimate system management processes running as SYSTEM
| !(
    ParentBaseFileName = /(?i)(msiexec\.exe|trustedinstaller\.exe|svchost\.exe|ccmexec\.exe)/
    AND UserName = /(?i)(system|nt authority|local service)/
  )

// Classify discovery type
| DiscoveryType := case {
    CommandLine = /(?i)(win32_product|product\s+get|product\s+list)/ => "WMI_Software_Enum";
    CommandLine = /(?i)(currentversion\\uninstall)/ => "Registry_Uninstall_Query";
    CommandLine = /(?i)(get-package|win32_installedwin32program|installedprogramframework)/ => "PS_GetPackage";
    CommandLine = /(?i)(dpkg|rpm\s+-q|snap\s+list|brew\s+list|apt\s+list|yum\s+list|dnf\s+list)/ => "PackageManager_Enum";
    * => "Generic_Software_Discovery"
  }

// Flag suspicious parent processes
| SuspiciousParent := ParentBaseFileName
    = /(?i)(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)/

// Risk scoring
| RiskScore := case {
    SuspiciousParent = true AND DiscoveryType = "WMI_Software_Enum" => 3;
    SuspiciousParent = true => 2;
    DiscoveryType = "WMI_Software_Enum" => 2;
    * => 1
  }

// Aggregate by host and process for analyst triage
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DiscoveryType, SuspiciousParent, RiskScore],
    function=[
      count(aid, as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(RiskScore, order=desc)
| table(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DiscoveryType, SuspiciousParent, RiskScore, EventCount, FirstSeen, LastSeen]
  )

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) Falcon Data Replicator — Process telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Spotlight or third-party vulnerability management tools integrated with the Falcon platform may execute WMI queries for software inventory during assessment runs, matching the wmic and Win32_Product patterns
Group Policy-driven software compliance scripts executed via cmd.exe or PowerShell at logon or on schedule will regularly query registry Uninstall keys across the fleet
Developer or IT tooling installed on endpoints (Chocolatey, Homebrew on macOS, WSL with apt/dpkg) that self-updates or audits its package list through shell invocations during routine operations

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Software Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Discovery

Popular Detections