Which SIEM platforms have a T1518 detection rule?

df00tech provides T1518 (Software Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1518 detection?

The T1518 detection is rated low severity with medium confidence.

What are common false positives for T1518?

Common false positives for T1518 include: Software inventory agents (SCCM, Tanium, Qualys, Tenable, ServiceNow Discovery) that regularly enumerate installed software for asset management and vulnerability scanning; System administrators running wmic product get or reg query manually during troubleshooting or software audits; PowerShell Desired State Configuration (DSC) and automation scripts (Ansible, Chef, Puppet) querying installed packages during compliance checks.

T1518

Software Discovery

Q: What data sources are required to detect Software Discovery (T1518)?

Detecting Software Discovery requires the following data sources: Process: Process Creation, Windows Registry: Windows Registry Key Access, Command: Command Execution, Microsoft Defender for Endpoint.

Discovery Last updated: April 21, 2026

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.

What is T1518 Software Discovery?

Software Discovery (T1518) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Software Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Windows Registry: Windows Registry Key Access, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1518 Software Discovery
Canonical reference: https://attack.mitre.org/techniques/T1518/

Microsoft Sentinel / Defender

kusto

let SoftwareDiscoveryPatterns = dynamic([
  // Registry-based enumeration
  "\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
  "\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
  // WMI-based enumeration
  "Win32_Product",
  "Win32_InstalledWin32Program",
  "Win32_InstalledProgramFramework",
  // PowerShell cmdlets
  "Get-Package",
  "Get-WmiObject",
  "Get-CimInstance",
  // WMIC commands
  "product get",
  "product list"
]);
let SuspiciousParents = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
  "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"
]);
// Branch 1: Registry queries targeting software inventory keys
let RegistryBranch = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "CurrentVersion\\Uninstall"
| where ActionType in ("RegistryKeyValueQueried", "RegistryQueryKey")
| extend DetectionSource = "Registry"
| project Timestamp, DeviceName, AccountName, ActionType,
          RegistryKey, RegistryValueName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionSource;
// Branch 2: Process-based software discovery (wmic, reg, PowerShell)
let ProcessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // wmic product enumeration
    (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("product get", "product list", "product where", "Win32_Product"))
    // reg query against uninstall keys
    or (FileName =~ "reg.exe" and ProcessCommandLine has "Uninstall")
    // PowerShell software discovery cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (
        "Get-Package", "Win32_Product", "Win32_InstalledWin32Program",
        "Get-WmiObject", "Get-CimInstance", "CurrentVersion\\Uninstall",
        "InstalledProgramFramework"
    ))
    // rpm/dpkg/brew via bash (cross-platform endpoints)
    or (FileName in~ ("bash", "sh", "zsh") and ProcessCommandLine has_any (
        "dpkg -l", "dpkg --list", "rpm -qa", "rpm -q",
        "snap list", "flatpak list", "brew list",
        "apt list", "yum list installed", "dnf list installed"
    ))
)
| extend DetectionSource = "Process"
// Flag suspicious parent processes indicating post-exploitation context
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
// Exclude obvious system management processes
| where not (
    InitiatingProcessFileName in~ ("msiexec.exe", "trustedinstaller.exe", "svchost.exe")
    and AccountName in~ ("SYSTEM", "NT AUTHORITY\\SYSTEM")
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, SuspiciousParent, DetectionSource;
// Union and enrich
RegistryBranch
| union ProcessBranch
| extend RiskScore = case(
    DetectionSource == "Registry" and InitiatingProcessFileName in~ (SuspiciousParents), 3,
    DetectionSource == "Process" and SuspiciousParent == true, 3,
    DetectionSource == "Process" and FileName =~ "wmic.exe", 2,
    1
)
| sort by Timestamp desc

Detects software enumeration activity across two telemetry branches: (1) registry reads against HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall keys via DeviceRegistryEvents, and (2) process creation events in DeviceProcessEvents targeting wmic product enumeration, reg.exe Uninstall queries, PowerShell Get-Package/Get-WmiObject/Get-CimInstance Win32_Product calls, and Linux/macOS package manager invocations. A RiskScore field prioritizes events where discovery tools are launched from suspicious parent processes (PowerShell, cmd.exe, wscript.exe), indicating post-exploitation context rather than administrative activity.

low severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Access Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Software inventory agents (SCCM, Tanium, Qualys, Tenable, ServiceNow Discovery) that regularly enumerate installed software for asset management and vulnerability scanning
System administrators running wmic product get or reg query manually during troubleshooting or software audits
PowerShell Desired State Configuration (DSC) and automation scripts (Ansible, Chef, Puppet) querying installed packages during compliance checks
Software installers and uninstallers that read Uninstall registry keys to check for existing versions before installation
Endpoint Detection & Response (EDR) agents that perform software inventory as part of their telemetry collection

Splunk

spl

(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (Image="*\\wmic.exe" (CommandLine="*product get*" OR CommandLine="*product list*" OR CommandLine="*Win32_Product*"))
    OR (Image="*\\reg.exe" CommandLine="*Uninstall*")
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") (CommandLine="*Get-Package*" OR CommandLine="*Win32_Product*" OR CommandLine="*Win32_InstalledWin32Program*" OR CommandLine="*Get-WmiObject*" OR CommandLine="*Get-CimInstance*" OR CommandLine="*CurrentVersion\\Uninstall*"))
    OR ((Image="*\\bash" OR Image="*\\sh" OR Image="*\\zsh") (CommandLine="*dpkg -l*" OR CommandLine="*rpm -qa*" OR CommandLine="*snap list*" OR CommandLine="*brew list*" OR CommandLine="*apt list*" OR CommandLine="*yum list installed*"))
  )
)
OR
(
  index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  (
    (NewProcessName="*\\wmic.exe" (CommandLine="*product get*" OR CommandLine="*Win32_Product*"))
    OR (NewProcessName="*\\reg.exe" CommandLine="*Uninstall*")
    OR ((NewProcessName="*\\powershell.exe" OR NewProcessName="*\\pwsh.exe") (CommandLine="*Get-Package*" OR CommandLine="*Win32_Product*"))
  )
)
| eval ProcessImage=coalesce(Image, NewProcessName)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval CmdLine=coalesce(CommandLine, CommandLine)
| eval DiscoveryType=case(
    match(lower(CmdLine), "win32_product|product get|product list"), "WMI_Software_Enum",
    match(lower(CmdLine), "currentversion\\uninstall"), "Registry_Uninstall_Query",
    match(lower(CmdLine), "get-package"), "PS_GetPackage",
    match(lower(CmdLine), "dpkg|rpm -q|snap list|brew list|apt list|yum list"), "PackageManager_Enum",
    true(), "Generic_Software_Discovery"
  )
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)"), 1, 0)
| eval RiskScore=case(
    SuspiciousParent=1 AND DiscoveryType="WMI_Software_Enum", 3,
    SuspiciousParent=1, 2,
    DiscoveryType="WMI_Software_Enum", 2,
    true(), 1
  )
| where NOT (match(lower(ParentImage), "(msiexec\.exe|trustedinstaller\.exe|ccmexec\.exe|smss\.exe)") AND match(lower(User), "(system|nt authority)"))
| table _time, host, User, ProcessImage, CmdLine, ParentImage, ParentCommandLine, DiscoveryType, SuspiciousParent, RiskScore
| sort - _time

Detects software discovery activity using Sysmon Event ID 1 (Process Creation) and Security Event ID 4688. Categorizes detections into discovery types (WMI enumeration, registry uninstall queries, PowerShell Get-Package, Linux/macOS package managers) and assigns risk scores based on whether the discovery tool was launched from a suspicious parent process. Filters out known-benign software management processes running as SYSTEM to reduce false positives from legitimate inventory agents.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software inventory and vulnerability scanning agents (SCCM, Tanium, Qualys, Rapid7) running on schedule as SYSTEM
IT administrators running manual software audits using wmic or PowerShell Get-Package
Configuration management platforms (Ansible, Puppet, Chef) querying installed packages during playbook runs
Software packaging and deployment tools reading Uninstall registry keys during installation workflows
Patch management solutions enumerating installed software to determine applicable patches

Elastic Security (EQL)

eql

sequence by host.name, process.entity_id with maxspan=5s
[
  any where event.category == "process" and event.type == "start" and
  (
    (
      process.name : "wmic.exe" and
      process.command_line : ("*product get*", "*product list*", "*Win32_Product*", "*product where*")
    ) or
    (
      process.name : "reg.exe" and
      process.command_line : "*Uninstall*"
    ) or
    (
      process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : (
        "*Get-Package*", "*Win32_Product*", "*Win32_InstalledWin32Program*",
        "*Get-WmiObject*", "*Get-CimInstance*", "*CurrentVersion\\Uninstall*",
        "*InstalledProgramFramework*"
      )
    ) or
    (
      process.name : ("bash", "sh", "zsh") and
      process.command_line : (
        "*dpkg -l*", "*dpkg --list*", "*rpm -qa*", "*rpm -q *",
        "*snap list*", "*flatpak list*", "*brew list*",
        "*apt list*", "*yum list installed*", "*dnf list installed*"
      )
    )
  ) and
  not (
    process.parent.name : ("msiexec.exe", "trustedinstaller.exe", "svchost.exe") and
    user.name : ("SYSTEM", "NT AUTHORITY\\SYSTEM")
  )
]
| eval risk_score = case(
    process.parent.name : ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"), 3,
    process.name : "wmic.exe", 2,
    true, 1
  )
| sort @timestamp desc

Detects software discovery activity via wmic, reg, PowerShell cmdlets, and cross-platform package managers. Covers both Windows registry-based enumeration and WMI-based software inventory queries. Risk scoring elevates events with suspicious parent processes indicative of post-exploitation context.

medium severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs (Sysmon via Elastic Agent) Auditbeat (Linux/macOS)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* logs-system.security-*

False Positives

IT asset management tools (SCCM, Ivanti, Tanium) routinely query installed software via WMI or registry for inventory purposes — these will trigger on legitimate scan cycles
Software deployment and patch management systems (Windows Update, third-party patching tools) may invoke wmic.exe or reg.exe against Uninstall keys during pre-flight compatibility checks
Developers and system administrators running PowerShell Get-Package or Get-CimInstance commands during troubleshooting or environment auditing, especially in DevOps pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "ProcessName",
  "CommandLine",
  "ParentProcessName",
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN "CommandLine" ILIKE '%Win32_Product%' OR "CommandLine" ILIKE '%product get%' OR "CommandLine" ILIKE '%product list%' THEN 'WMI_Software_Enum'
    WHEN "CommandLine" ILIKE '%CurrentVersion\Uninstall%' OR "CommandLine" ILIKE '%Uninstall%' AND "ProcessName" ILIKE '%reg.exe%' THEN 'Registry_Uninstall_Query'
    WHEN "CommandLine" ILIKE '%Get-Package%' OR "CommandLine" ILIKE '%Win32_InstalledWin32Program%' OR "CommandLine" ILIKE '%InstalledProgramFramework%' THEN 'PS_GetPackage'
    WHEN "CommandLine" ILIKE '%dpkg%' OR "CommandLine" ILIKE '%rpm -q%' OR "CommandLine" ILIKE '%snap list%' OR "CommandLine" ILIKE '%brew list%' OR "CommandLine" ILIKE '%yum list%' OR "CommandLine" ILIKE '%apt list%' OR "CommandLine" ILIKE '%dnf list%' THEN 'PackageManager_Enum'
    ELSE 'Generic_Software_Discovery'
  END AS DiscoveryType,
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%powershell.exe%' OR LOWER("ParentProcessName") LIKE '%pwsh.exe%'
      OR LOWER("ParentProcessName") LIKE '%wscript.exe%' OR LOWER("ParentProcessName") LIKE '%cscript.exe%'
      OR LOWER("ParentProcessName") LIKE '%mshta.exe%' OR LOWER("ParentProcessName") LIKE '%rundll32.exe%'
      OR LOWER("ParentProcessName") LIKE '%regsvr32.exe%' THEN 3
    WHEN LOWER("ProcessName") LIKE '%wmic.exe%' THEN 2
    ELSE 1
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'LinuxAuthLog', 'Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    -- wmic product enumeration
    (LOWER("ProcessName") LIKE '%wmic.exe%' AND (
      LOWER("CommandLine") LIKE '%product get%' OR
      LOWER("CommandLine") LIKE '%product list%' OR
      LOWER("CommandLine") LIKE '%product where%' OR
      LOWER("CommandLine") LIKE '%win32_product%'
    ))
    -- reg query uninstall
    OR (LOWER("ProcessName") LIKE '%reg.exe%' AND LOWER("CommandLine") LIKE '%uninstall%')
    -- PowerShell software discovery
    OR ((LOWER("ProcessName") LIKE '%powershell.exe%' OR LOWER("ProcessName") LIKE '%pwsh.exe%') AND (
      LOWER("CommandLine") LIKE '%get-package%' OR
      LOWER("CommandLine") LIKE '%win32_product%' OR
      LOWER("CommandLine") LIKE '%win32_installedwin32program%' OR
      LOWER("CommandLine") LIKE '%get-wmiobject%' OR
      LOWER("CommandLine") LIKE '%get-ciminstance%' OR
      LOWER("CommandLine") LIKE '%currentversion\uninstall%' OR
      LOWER("CommandLine") LIKE '%installedprogramframework%'
    ))
    -- Linux/macOS package manager enumeration
    OR ((LOWER("ProcessName") LIKE '%bash%' OR LOWER("ProcessName") LIKE '%/sh%' OR LOWER("ProcessName") LIKE '%zsh%') AND (
      LOWER("CommandLine") LIKE '%dpkg -l%' OR
      LOWER("CommandLine") LIKE '%dpkg --list%' OR
      LOWER("CommandLine") LIKE '%rpm -qa%' OR
      LOWER("CommandLine") LIKE '%snap list%' OR
      LOWER("CommandLine") LIKE '%brew list%' OR
      LOWER("CommandLine") LIKE '%apt list%' OR
      LOWER("CommandLine") LIKE '%yum list installed%' OR
      LOWER("CommandLine") LIKE '%dnf list installed%'
    ))
  )
  AND NOT (
    (LOWER("ParentProcessName") LIKE '%msiexec.exe%' OR LOWER("ParentProcessName") LIKE '%trustedinstaller.exe%' OR LOWER("ParentProcessName") LIKE '%ccmexec.exe%')
    AND (LOWER(username) LIKE '%system%' OR LOWER(username) LIKE '%nt authority%')
  )
ORDER BY starttime DESC

AQL query detecting software discovery activity through WMI, registry, PowerShell, and package manager enumeration. Correlates process execution events from Windows Security logs, Sysmon, and Linux audit logs. Assigns risk scores based on suspicious parent process inheritance indicative of post-exploitation.

medium severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon Operational Log (via QRadar DSM) LinuxAuthLog / Auditd

Required Tables

events

False Positives

Endpoint management platforms (SCCM, BigFix, ManageEngine) perform scheduled WMI-based software inventory that will match WMI enumeration patterns during discovery cycles
Security compliance scanning tools (Nessus, Qualys, Rapid7) execute reg.exe and wmic.exe queries against Uninstall keys during credentialed vulnerability assessments
Linux build and CI/CD pipelines frequently enumerate installed packages via dpkg or rpm during dependency resolution and environment validation stages

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="linux/syslog")
| json auto
// Normalize process fields across Sysmon and Windows Security
| if (!isNull(Image), Image, NewProcessName) as ProcessImage
| if (!isNull(ParentImage), ParentImage, ParentProcessName) as ParentProcessImage
| if (!isNull(CommandLine), CommandLine, CommandLine) as CommandLine
| if (!isNull(User), User, SubjectUserName) as Username
| if (!isNull(Computer), Computer, host) as Hostname
// Filter to relevant events: Sysmon EID 1 or Windows Security EID 4688
| where (EventID = "1" AND _sourceCategory matches "*sysmon*")
  OR (EventID = "4688" AND _sourceCategory matches "*security*")
  OR _sourceCategory matches "*linux*syslog*"
// Core detection logic
| where (
    // wmic product enumeration
    (matches(lower(ProcessImage), ".*wmic\.exe$") AND (
      contains(lower(CommandLine), "product get") OR
      contains(lower(CommandLine), "product list") OR
      contains(lower(CommandLine), "product where") OR
      contains(lower(CommandLine), "win32_product")
    ))
    // reg query against uninstall keys
    OR (matches(lower(ProcessImage), ".*reg\.exe$") AND contains(lower(CommandLine), "uninstall"))
    // PowerShell software discovery cmdlets
    OR ((matches(lower(ProcessImage), ".*powershell\.exe$") OR matches(lower(ProcessImage), ".*pwsh\.exe$")) AND (
      contains(lower(CommandLine), "get-package") OR
      contains(lower(CommandLine), "win32_product") OR
      contains(lower(CommandLine), "win32_installedwin32program") OR
      contains(lower(CommandLine), "get-wmiobject") OR
      contains(lower(CommandLine), "get-ciminstance") OR
      contains(lower(CommandLine), "currentversion\\uninstall") OR
      contains(lower(CommandLine), "installedprogramframework")
    ))
    // Linux/macOS package manager enumeration
    OR ((matches(lower(ProcessImage), ".*(bash|/sh|zsh)$")) AND (
      contains(lower(CommandLine), "dpkg -l") OR
      contains(lower(CommandLine), "dpkg --list") OR
      contains(lower(CommandLine), "rpm -qa") OR
      contains(lower(CommandLine), "snap list") OR
      contains(lower(CommandLine), "brew list") OR
      contains(lower(CommandLine), "apt list") OR
      contains(lower(CommandLine), "yum list installed") OR
      contains(lower(CommandLine), "dnf list installed")
    ))
  )
// Exclusions: legitimate system management processes running as SYSTEM
| where NOT (
    (matches(lower(ParentProcessImage), ".*(msiexec\.exe|trustedinstaller\.exe|ccmexec\.exe|svchost\.exe)$"))
    AND (matches(lower(Username), ".*(system|nt authority).*"))
  )
// Discovery type classification
| eval DiscoveryType = if(
    matches(lower(CommandLine), "win32_product|product get|product list"), "WMI_Software_Enum",
    if(contains(lower(CommandLine), "currentversion\\uninstall"), "Registry_Uninstall_Query",
    if(contains(lower(CommandLine), "get-package"), "PS_GetPackage",
    if(matches(lower(CommandLine), "dpkg|rpm -q|snap list|brew list|apt list|yum list|dnf list"), "PackageManager_Enum",
    "Generic_Software_Discovery")))
  )
// Suspicious parent flag
| eval SuspiciousParent = if(
    matches(lower(ParentProcessImage), ".*(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe).*"),
    1, 0
  )
// Risk scoring
| eval RiskScore = if(SuspiciousParent = 1 AND DiscoveryType = "WMI_Software_Enum", 3,
    if(SuspiciousParent = 1, 2,
    if(DiscoveryType = "WMI_Software_Enum", 2, 1)))
| fields _messageTime, Hostname, Username, ProcessImage, CommandLine, ParentProcessImage, DiscoveryType, SuspiciousParent, RiskScore
| sort by _messageTime desc

Sumo Logic detection for software discovery activity via WMI, registry, PowerShell, and package manager enumeration. Normalizes fields across Sysmon and Windows Security log sourcetypes. Classifies discovery method and scores risk based on parent process context to surface post-exploitation scenarios.

medium severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log) Sysmon Operational via Sumo Logic Windows Agent Linux syslog via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security _sourceCategory=linux/syslog

False Positives

Microsoft Configuration Manager (SCCM/MECM) hardware and software inventory agents execute WMI queries including Win32_Product on a schedule — high volume false positive during inventory collection windows
PowerShell-based administrative scripts for license auditing, software compliance reporting, or asset management will trigger on Get-WmiObject and Get-CimInstance patterns
Developer workstation environments where brew (macOS) or dpkg/apt (WSL2) package listings are executed during build environment setup or Docker image provisioning

Google Chronicle / SecOps

yaral

rule t1518_software_discovery {
  meta:
    author = "df00tech"
    description = "Detects software discovery activity via WMI, registry, PowerShell, and cross-platform package manager enumeration (MITRE ATT&CK T1518)"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1518"
    severity = "MEDIUM"
    priority = "MEDIUM"
    created = "2026-04-21"
    platforms = "Windows, Linux, macOS"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.process.file.full_path = $parent_path
    $e.target.process.file.full_path = $proc_path
    $e.target.process.command_line = $cmdline

    // Match software discovery patterns across tools
    (
      // wmic.exe product enumeration
      (
        re.regex($proc_path, `(?i).*\\wmic\.exe$`) and
        (
          re.regex($cmdline, `(?i)product\s+(get|list|where)`) or
          strings.contains(strings.to_lower($cmdline), "win32_product")
        )
      ) or
      // reg.exe targeting Uninstall keys
      (
        re.regex($proc_path, `(?i).*\\reg\.exe$`) and
        strings.contains(strings.to_lower($cmdline), "uninstall")
      ) or
      // PowerShell software discovery
      (
        re.regex($proc_path, `(?i).*(powershell|pwsh)\.exe$`) and
        (
          strings.contains(strings.to_lower($cmdline), "get-package") or
          strings.contains(strings.to_lower($cmdline), "win32_product") or
          strings.contains(strings.to_lower($cmdline), "win32_installedwin32program") or
          strings.contains(strings.to_lower($cmdline), "get-wmiobject") or
          strings.contains(strings.to_lower($cmdline), "get-ciminstance") or
          re.regex($cmdline, `(?i)currentversion\\uninstall`) or
          strings.contains(strings.to_lower($cmdline), "installedprogramframework")
        )
      ) or
      // Linux/macOS package manager enumeration via shell
      (
        re.regex($proc_path, `(?i).*(bash|/sh|zsh)$`) and
        (
          strings.contains($cmdline, "dpkg -l") or
          strings.contains($cmdline, "dpkg --list") or
          re.regex($cmdline, `rpm -q[a]?\s`) or
          strings.contains($cmdline, "snap list") or
          strings.contains($cmdline, "brew list") or
          strings.contains($cmdline, "apt list") or
          strings.contains($cmdline, "yum list installed") or
          strings.contains($cmdline, "dnf list installed")
        )
      )
    )

    // Exclude legitimate system management parent processes running as SYSTEM
    not (
      re.regex($parent_path, `(?i).*(msiexec|trustedinstaller|svchost|ccmexec)\.exe$`) and
      re.regex($e.principal.user.userid, `(?i)(system|nt authority|local service)`)
    )

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($parent_path, `(?i).*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe$`) and
        (
          strings.contains(strings.to_lower($cmdline), "win32_product") or
          strings.contains(strings.to_lower($cmdline), "product get")
        ), 3
      ) +
      if(
        re.regex($parent_path, `(?i).*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe$`), 2
      ) +
      if(
        re.regex($proc_path, `(?i).*\\wmic\.exe$`), 1
      )
    )
    $discovery_count = count($e.target.process.pid)
    $target_process = array_distinct($proc_path)
    $parent_process = array_distinct($parent_path)

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1518 Software Discovery through WMI product enumeration, registry Uninstall key queries, PowerShell software cmdlets, and Linux/macOS package manager invocations. Uses UDM process launch events with regex matching on process paths and command lines. Outcome block computes risk score based on parent process context.

medium severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Process Events via Chronicle Forwarder Linux/macOS Process Events via Chronicle Forwarder or Bindplane

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Software asset management and ITAM tools (Flexera, Snow Software, ServiceNow Discovery) that rely on WMI or PowerShell to enumerate installed software across managed endpoints will generate high-volume true-positive-like alerts
Automated vulnerability scanning solutions that use WMI or command-line interfaces for credentialed software enumeration as part of patch compliance checks
macOS system administration and MDM enrollment workflows (Jamf, Mosyle) that invoke brew list or system_profiler during device enrollment or health checks

CrowdStrike LogScale (CQL)

cql

// T1518 Software Discovery — CrowdStrike Falcon LogScale (CQL)
// Detects WMI, registry, PowerShell, and package manager software enumeration

#event_simpleName = ProcessRollup2
| FileName = /(?i)(wmic\.exe|reg\.exe|powershell\.exe|pwsh\.exe|bash|sh|zsh)/
| CommandLine = /(?i)(
    product\s+(get|list|where)
    |win32_product
    |win32_installedwin32program
    |installedprogramframework
    |currentversion\\uninstall
    |get-package
    |get-wmiobject
    |get-ciminstance
    |dpkg\s+-[l-]
    |dpkg\s+--list
    |rpm\s+-q[a]?
    |snap\s+list
    |brew\s+list
    |apt\s+list
    |yum\s+list\s+installed
    |dnf\s+list\s+installed
  )/

// Exclude legitimate system management processes running as SYSTEM
| !(
    ParentBaseFileName = /(?i)(msiexec\.exe|trustedinstaller\.exe|svchost\.exe|ccmexec\.exe)/
    AND UserName = /(?i)(system|nt authority|local service)/
  )

// Classify discovery type
| DiscoveryType := case {
    CommandLine = /(?i)(win32_product|product\s+get|product\s+list)/ => "WMI_Software_Enum";
    CommandLine = /(?i)(currentversion\\uninstall)/ => "Registry_Uninstall_Query";
    CommandLine = /(?i)(get-package|win32_installedwin32program|installedprogramframework)/ => "PS_GetPackage";
    CommandLine = /(?i)(dpkg|rpm\s+-q|snap\s+list|brew\s+list|apt\s+list|yum\s+list|dnf\s+list)/ => "PackageManager_Enum";
    * => "Generic_Software_Discovery"
  }

// Flag suspicious parent processes
| SuspiciousParent := ParentBaseFileName
    = /(?i)(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)/

// Risk scoring
| RiskScore := case {
    SuspiciousParent = true AND DiscoveryType = "WMI_Software_Enum" => 3;
    SuspiciousParent = true => 2;
    DiscoveryType = "WMI_Software_Enum" => 2;
    * => 1
  }

// Aggregate by host and process for analyst triage
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DiscoveryType, SuspiciousParent, RiskScore],
    function=[
      count(aid, as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(RiskScore, order=desc)
| table(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DiscoveryType, SuspiciousParent, RiskScore, EventCount, FirstSeen, LastSeen]
  )

CrowdStrike Falcon LogScale detection for T1518 Software Discovery using ProcessRollup2 events. Matches wmic, reg, PowerShell, and shell-based package manager invocations via regex against FileName and CommandLine fields. Classifies discovery method, flags suspicious parent inheritance, and aggregates events per host for analyst efficiency.

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) Falcon Data Replicator — Process telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Spotlight or third-party vulnerability management tools integrated with the Falcon platform may execute WMI queries for software inventory during assessment runs, matching the wmic and Win32_Product patterns
Group Policy-driven software compliance scripts executed via cmd.exe or PowerShell at logon or on schedule will regularly query registry Uninstall keys across the fleet
Developer or IT tooling installed on endpoints (Chocolatey, Homebrew on macOS, WSL with apt/dpkg) that self-updates or audits its package list through shell invocations during routine operations

Sigma rule & cross-platform mapping

The detection logic for Software Discovery (T1518) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1518 Sigma rules on detection.fyi

Platform-specific guides for T1518

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-21 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1WMIC Product Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).
Test 2Registry Query for Installed Software (reg.exe)
Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.
Test 3PowerShell Software Discovery via Get-Package
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.
Test 4Linux Package Enumeration via dpkg and rpm
Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Software Discovery

What is T1518 Software Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1518

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1518 Software Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1518

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox