T1518.002

Backup Software Discovery

Adversaries may attempt to get a listing of backup software or configurations installed on a system. This discovery technique is commonly performed as pre-ransomware reconnaissance to identify backup solutions (Veeam, Acronis, Backup Exec, Commvault, Windows Server Backup) so attackers can disable, destroy, or encrypt them before deploying ransomware payloads. Methods include registry queries (reg query), process enumeration (tasklist, wmic), service enumeration (sc query, net start), directory listings, and PowerShell-based enumeration scripts such as the Get-DataInfo.ps1 script used by Wizard Spider (FIN12).

Microsoft Sentinel / Defender

kusto

let BackupSoftwareNames = dynamic([
  "veeam", "acronis", "backup exec", "commvault", "simpana", "arcserve",
  "paragon", "cobian", "backupassist", "bacula", "carbonite",
  "backblaze", "crashplan", "barracuda", "datto", "zerto",
  "veritas", "symantec backup", "wbadmin", "ntbackup"
]);
let BackupRegistryPaths = dynamic([
  "veeam", "acronis", "backup exec", "commvault", "arcserve", "paragon",
  "cobian backup", "backupassist", "windowsbackup"
]);
let BackupServiceNames = dynamic([
  "veeambackup", "veeamtransport", "veeamagent", "acronisagent", "acrsch2svc",
  "backupexecagent", "backupexecdevice", "backupexecjobengine", "backupexecmgmt",
  "cbvscsvc", "gxclmgrs", "gxcvd", "wbengine", "sdrsvc"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "reg.exe" and ProcessCommandLine has_any ("query", "QUERY") and ProcessCommandLine has_any (BackupRegistryPaths))
    or (FileName =~ "sc.exe" and ProcessCommandLine has_any ("query", "QUERY") and ProcessCommandLine has_any (BackupServiceNames))
    or (FileName =~ "net.exe" and ProcessCommandLine has "start" and ProcessCommandLine has_any (BackupServiceNames))
    or (FileName =~ "net1.exe" and ProcessCommandLine has "start" and ProcessCommandLine has_any (BackupServiceNames))
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("product", "process", "service") and ProcessCommandLine has_any (BackupSoftwareNames))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (
        "Get-DataInfo", "Get-Service", "Get-ItemProperty", "Get-WmiObject", "Get-CimInstance"
    ) and ProcessCommandLine has_any (BackupSoftwareNames))
    or (FileName =~ "tasklist.exe" and ProcessCommandLine has_any (BackupSoftwareNames))
    or (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("dir", "DIR") and ProcessCommandLine has_any (BackupSoftwareNames))
)
| extend DiscoveryMethod = case(
    FileName =~ "reg.exe", "Registry Query",
    FileName =~ "sc.exe", "Service Control Query",
    FileName in~ ("net.exe", "net1.exe"), "Net Service Enumeration",
    FileName =~ "wmic.exe", "WMI Query",
    FileName in~ ("powershell.exe", "pwsh.exe"), "PowerShell Enumeration",
    FileName =~ "tasklist.exe", "Process List Enumeration",
    FileName =~ "cmd.exe", "Directory Listing",
    "Other"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DiscoveryMethod
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup administrators running legitimate inventory or health-check scripts to verify backup agent status across endpoints
IT asset management tools (Lansweeper, PDQ Inventory, Snipe-IT) that enumerate installed software and services during scheduled discovery scans
Monitoring agents (Zabbix, PRTG, SolarWinds) checking backup service health and process status as part of regular infrastructure monitoring
Backup software itself performing self-checks or compatibility validation during installation, upgrade, or scheduled maintenance windows

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=lower(coalesce(Image, NewProcessName))
| eval CommandLine=lower(coalesce(CommandLine, ProcessCommandLine))
| eval ParentImage=lower(coalesce(ParentImage, ParentProcessName))
| eval BackupTerms="veeam|acronis|backup exec|commvault|arcserve|paragon|cobian|carbonite|backblaze|crashplan|barracuda|datto|zerto|veritas|wbadmin|wbengine|ntbackup|simpana"
| eval IsRegQuery=if(match(Image, "\\\\reg\.exe$") AND match(CommandLine, "query") AND match(CommandLine, BackupTerms), 1, 0)
| eval IsScQuery=if(match(Image, "\\\\sc\.exe$") AND match(CommandLine, "query") AND match(CommandLine, "veeam|acronis|backup|commvault|arcserve|wbengine|sdrsvc"), 1, 0)
| eval IsNetStart=if((match(Image, "\\\\net\.exe$") OR match(Image, "\\\\net1\.exe$")) AND match(CommandLine, "start") AND match(CommandLine, BackupTerms), 1, 0)
| eval IsWmic=if(match(Image, "\\\\wmic\.exe$") AND match(CommandLine, "product|process|service") AND match(CommandLine, BackupTerms), 1, 0)
| eval IsPowerShell=if((match(Image, "\\\\powershell\.exe$") OR match(Image, "\\\\pwsh\.exe$")) AND match(CommandLine, "get-service|get-itemproperty|get-wmiobject|get-ciminstance|get-datainfo") AND match(CommandLine, BackupTerms), 1, 0)
| eval IsTasklist=if(match(Image, "\\\\tasklist\.exe$") AND match(CommandLine, BackupTerms), 1, 0)
| eval IsDir=if(match(Image, "\\\\cmd\.exe$") AND match(CommandLine, "dir") AND match(CommandLine, BackupTerms), 1, 0)
| eval DiscoveryScore=IsRegQuery + IsScQuery + IsNetStart + IsWmic + IsPowerShell + IsTasklist + IsDir
| where DiscoveryScore > 0
| eval DiscoveryMethod=case(
    IsRegQuery=1, "Registry Query",
    IsScQuery=1, "Service Control Query",
    IsNetStart=1, "Net Service Enumeration",
    IsWmic=1, "WMI Query",
    IsPowerShell=1, "PowerShell Enumeration",
    IsTasklist=1, "Process List Enumeration",
    IsDir=1, "Directory Listing",
    true(), "Other"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DiscoveryMethod, DiscoveryScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Backup administrators running legitimate inventory or health-check scripts to verify backup agent status across endpoints
IT asset management tools (Lansweeper, PDQ Inventory, Snipe-IT) that enumerate installed software and services during scheduled discovery scans
Monitoring agents (Zabbix, PRTG, SolarWinds) checking backup service health and process status as part of regular infrastructure monitoring
Backup software itself performing self-checks or compatibility validation during installation, upgrade, or scheduled maintenance windows

Elastic Security (EQL)

eql

process where event.type == "start" and
  (
    (
      process.name : "reg.exe" and
      process.command_line : "*query*" and
      process.command_line : ("*veeam*", "*acronis*", "*commvault*", "*arcserve*", "*paragon*", "*cobian*", "*backupassist*", "*windowsbackup*")
    ) or
    (
      process.name : "sc.exe" and
      process.command_line : "*query*" and
      process.command_line : ("*veeam*", "*acronis*", "*backup*", "*commvault*", "*arcserve*", "*wbengine*", "*sdrsvc*")
    ) or
    (
      process.name : ("net.exe", "net1.exe") and
      process.command_line : "*start*" and
      process.command_line : ("*veeam*", "*acronis*", "*backup*", "*commvault*", "*arcserve*", "*carbonite*", "*wbengine*")
    ) or
    (
      process.name : "wmic.exe" and
      process.command_line : ("*product*", "*process*", "*service*") and
      process.command_line : ("*veeam*", "*acronis*", "*backup*", "*commvault*", "*arcserve*", "*carbonite*", "*crashplan*", "*barracuda*", "*datto*", "*zerto*", "*veritas*", "*wbadmin*", "*ntbackup*")
    ) or
    (
      process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : ("*get-datainfo*", "*get-service*", "*get-itemproperty*", "*get-wmiobject*", "*get-ciminstance*") and
      process.command_line : ("*veeam*", "*acronis*", "*backup*", "*commvault*", "*carbonite*", "*crashplan*", "*barracuda*", "*datto*", "*zerto*", "*veritas*", "*wbadmin*")
    ) or
    (
      process.name : "tasklist.exe" and
      process.command_line : ("*veeam*", "*acronis*", "*backup*", "*commvault*", "*carbonite*", "*crashplan*", "*barracuda*")
    ) or
    (
      process.name : "cmd.exe" and
      process.command_line : "*dir*" and
      process.command_line : ("*veeam*", "*acronis*", "*backup*", "*commvault*", "*arcserve*", "*carbonite*")
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat (Windows Security Event Log 4688) Winlogbeat (Sysmon Event ID 1)

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-endpoint.events.process-*

False Positives

IT administrators performing authorized backup software audits or CMDB inventory discovery using reg.exe, sc.exe, or wmic.exe queries against backup product registry keys
Automated backup health-check scripts or ITSM agents (ServiceNow Discovery, Ansible, Puppet) that enumerate installed backup services on a scheduled basis
Security vulnerability scanners such as Nessus, Qualys, or Rapid7 Nexpose performing credentialed software discovery scans that enumerate registry keys and installed services

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "User",
  CATEGORYNAME(category) AS "Event Category",
  QIDNAME(qid) AS "Event Name",
  "ProcessPath" AS "Process",
  "CommandLine" AS "Command Line",
  "ParentProcessPath" AS "Parent Process",
  CASE
    WHEN LOWER("ProcessPath") LIKE '%reg.exe' THEN 'Registry Query'
    WHEN LOWER("ProcessPath") LIKE '%sc.exe' THEN 'Service Control Query'
    WHEN LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe' THEN 'Net Service Enumeration'
    WHEN LOWER("ProcessPath") LIKE '%wmic.exe' THEN 'WMI Query'
    WHEN LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe' THEN 'PowerShell Enumeration'
    WHEN LOWER("ProcessPath") LIKE '%tasklist.exe' THEN 'Process List Enumeration'
    WHEN LOWER("ProcessPath") LIKE '%cmd.exe' THEN 'Directory Listing'
    ELSE 'Other'
  END AS "Discovery Method"
FROM events
WHERE
  (
    (
      LOWER("ProcessPath") LIKE '%reg.exe'
      AND LOWER("CommandLine") LIKE '%query%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%commvault%' OR LOWER("CommandLine") LIKE '%arcserve%'
        OR LOWER("CommandLine") LIKE '%paragon%' OR LOWER("CommandLine") LIKE '%cobian%'
        OR LOWER("CommandLine") LIKE '%backupassist%' OR LOWER("CommandLine") LIKE '%windowsbackup%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%sc.exe'
      AND LOWER("CommandLine") LIKE '%query%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%wbengine%'
        OR LOWER("CommandLine") LIKE '%sdrsvc%'
      )
    )
    OR (
      (LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe')
      AND LOWER("CommandLine") LIKE '%start%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%carbonite%'
        OR LOWER("CommandLine") LIKE '%wbengine%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%wmic.exe'
      AND (LOWER("CommandLine") LIKE '%product%' OR LOWER("CommandLine") LIKE '%process%' OR LOWER("CommandLine") LIKE '%service%')
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%carbonite%'
        OR LOWER("CommandLine") LIKE '%crashplan%' OR LOWER("CommandLine") LIKE '%barracuda%'
        OR LOWER("CommandLine") LIKE '%datto%' OR LOWER("CommandLine") LIKE '%zerto%'
        OR LOWER("CommandLine") LIKE '%veritas%' OR LOWER("CommandLine") LIKE '%wbadmin%'
        OR LOWER("CommandLine") LIKE '%ntbackup%'
      )
    )
    OR (
      (LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe')
      AND (
        LOWER("CommandLine") LIKE '%get-datainfo%' OR LOWER("CommandLine") LIKE '%get-service%'
        OR LOWER("CommandLine") LIKE '%get-itemproperty%' OR LOWER("CommandLine") LIKE '%get-wmiobject%'
        OR LOWER("CommandLine") LIKE '%get-ciminstance%'
      )
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%carbonite%' OR LOWER("CommandLine") LIKE '%crashplan%'
        OR LOWER("CommandLine") LIKE '%barracuda%' OR LOWER("CommandLine") LIKE '%datto%'
        OR LOWER("CommandLine") LIKE '%zerto%' OR LOWER("CommandLine") LIKE '%veritas%'
        OR LOWER("CommandLine") LIKE '%wbadmin%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%tasklist.exe'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%carbonite%' OR LOWER("CommandLine") LIKE '%crashplan%'
        OR LOWER("CommandLine") LIKE '%barracuda%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%cmd.exe'
      AND LOWER("CommandLine") LIKE '%dir%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%carbonite%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (EventID 4688) Microsoft Sysmon (EventID 1) Windows Event Collector

Required Tables

events

False Positives

Authorized IT operations personnel querying backup service status during maintenance windows or change management activities
Enterprise backup agent self-discovery processes where the backup software itself enumerates running services or registry configuration at startup
Vulnerability management platforms performing credentialed Windows assessments that enumerate all installed software via WMI product queries

Sumo Logic CSE

sql

(_sourceCategory=windows* OR _sourceCategory=sysmon* OR _sourceCategory=wineventlog*)
| where EventCode = "1" OR EventCode = "4688"
| eval imageFull = lower(coalesce(Image, NewProcessName, ""))
| eval commandLine = lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval parentImage = lower(coalesce(ParentImage, ParentProcessName, ""))
| eval imageName = replace(imageFull, /^.*[\\\\|\/]/, "")
| eval backupTerms = "veeam|acronis|commvault|arcserve|paragon|cobian|backupassist|carbonite|backblaze|crashplan|barracuda|datto|zerto|veritas|wbadmin|wbengine|ntbackup|backup exec|simpana"
| eval isRegQuery = if(imageName = "reg.exe" AND commandLine matches ".*query.*" AND commandLine matches concat(".*(", backupTerms, ").*"), 1, 0)
| eval isScQuery = if(imageName = "sc.exe" AND commandLine matches ".*query.*" AND commandLine matches ".*veeam|acronis|backup|commvault|arcserve|wbengine|sdrsvc.*", 1, 0)
| eval isNetStart = if((imageName = "net.exe" OR imageName = "net1.exe") AND commandLine matches ".*start.*" AND commandLine matches concat(".*(", backupTerms, ").*"), 1, 0)
| eval isWmic = if(imageName = "wmic.exe" AND commandLine matches ".*(product|process|service).*" AND commandLine matches concat(".*(", backupTerms, ").*"), 1, 0)
| eval isPowerShell = if((imageName = "powershell.exe" OR imageName = "pwsh.exe") AND commandLine matches ".*(get-datainfo|get-service|get-itemproperty|get-wmiobject|get-ciminstance).*" AND commandLine matches concat(".*(", backupTerms, ").*"), 1, 0)
| eval isTasklist = if(imageName = "tasklist.exe" AND commandLine matches concat(".*(", backupTerms, ").*"), 1, 0)
| eval isDir = if(imageName = "cmd.exe" AND commandLine matches ".*\\bdir\\b.*" AND commandLine matches concat(".*(", backupTerms, ").*"), 1, 0)
| eval discoveryScore = isRegQuery + isScQuery + isNetStart + isWmic + isPowerShell + isTasklist + isDir
| where discoveryScore > 0
| eval discoveryMethod = if(isRegQuery = 1, "Registry Query",
    if(isScQuery = 1, "Service Control Query",
    if(isNetStart = 1, "Net Service Enumeration",
    if(isWmic = 1, "WMI Query",
    if(isPowerShell = 1, "PowerShell Enumeration",
    if(isTasklist = 1, "Process List Enumeration",
    if(isDir = 1, "Directory Listing", "Other")))))))
| table _messageTime, Computer, User, imageFull, commandLine, parentImage, discoveryMethod, discoveryScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log (EventID 4688) Microsoft Sysmon (EventID 1) Windows Event Collector forwarded logs

Required Tables

Sumo Logic partitions matching _sourceCategory=windows* or _sourceCategory=sysmon*

False Positives

Scheduled backup compliance reporting scripts run by backup administrators that call Get-Service or wmic service queries to generate inventory reports
IT asset management agents (Lansweeper, Spiceworks, Ivanti) performing periodic software discovery that enumerate backup products via registry or WMI
Backup software update or self-healing processes that query their own service state and registry configuration on startup or after system reboots

Google Chronicle / SecOps

yaral

rule backup_software_discovery_t1518_002 {
  meta:
    author = "df00tech"
    description = "Detects backup software discovery (MITRE ATT&CK T1518.002) — pre-ransomware reconnaissance targeting Veeam, Acronis, Commvault, Arcserve, Carbonite, Barracuda, and Windows Backup utilities via registry query, service enumeration, WMI, PowerShell, tasklist, and directory listing."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1518.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1518/002/"
    reference = "Wizard Spider FIN12 Get-DataInfo.ps1 script; pre-ransomware backup destruction pattern"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""

    (
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)query`) and
        re.regex($e.target.process.command_line, `(?i)(veeam|acronis|commvault|arcserve|paragon|cobian|backupassist|windowsbackup)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])sc\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)query`) and
        re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|wbengine|sdrsvc)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)start`) and
        re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|carbonite|wbengine)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(product|process|service)`) and
        re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|carbonite|crashplan|barracuda|datto|zerto|veritas|wbadmin|ntbackup)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(get-datainfo|get-service|get-itemproperty|get-wmiobject|get-ciminstance)`) and
        re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|carbonite|crashplan|barracuda|datto|zerto|veritas|wbadmin)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])tasklist\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|carbonite|crashplan|barracuda)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])cmd\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bdir\b`) and
        re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|carbonite)`)
      )
    )

    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $process = $e.target.process.file.full_path
    $cmdline = $e.target.process.command_line

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events) Windows Sysmon via Chronicle ingestion Microsoft Defender for Endpoint via Chronicle ingestion CrowdStrike Falcon via Chronicle ingestion

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Backup administrators using PowerShell scripts with Get-Service or Get-CimInstance to validate backup agent health across a fleet of servers as part of routine operations
Enterprise monitoring tools such as SolarWinds, Datadog, or PRTG that execute WMI or registry queries to collect backup software metrics and service availability
Active Directory Group Policy or SCCM compliance scripts that enumerate installed backup software during periodic machine compliance assessments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(reg|sc|net|net1|wmic|powershell|pwsh|tasklist|cmd)\.exe$/i
| CommandLine = /(?i)(veeam|acronis|commvault|arcserve|paragon|cobian|backupassist|carbonite|backblaze|crashplan|barracuda|datto|zerto|veritas|wbadmin|ntbackup|backup exec|simpana)/i
| case {
    FileName = /(?i)reg\.exe$/i
      | CommandLine = /(?i)query/i
      | DiscoveryMethod := "Registry Query" ;
    FileName = /(?i)sc\.exe$/i
      | CommandLine = /(?i)query/i
      | DiscoveryMethod := "Service Control Query" ;
    FileName = /(?i)net1?\.exe$/i
      | CommandLine = /(?i)start/i
      | DiscoveryMethod := "Net Service Enumeration" ;
    FileName = /(?i)wmic\.exe$/i
      | CommandLine = /(?i)(product|process|service)/i
      | DiscoveryMethod := "WMI Query" ;
    FileName = /(?i)(powershell|pwsh)\.exe$/i
      | CommandLine = /(?i)(get-datainfo|get-service|get-itemproperty|get-wmiobject|get-ciminstance)/i
      | DiscoveryMethod := "PowerShell Enumeration" ;
    FileName = /(?i)tasklist\.exe$/i
      | DiscoveryMethod := "Process List Enumeration" ;
    FileName = /(?i)cmd\.exe$/i
      | CommandLine = /(?i)\bdir\b/i
      | DiscoveryMethod := "Directory Listing" ;
    * | DiscoveryMethod := "Other"
  }
| DiscoveryMethod != "Other"
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DiscoveryMethod])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) Falcon Data Replicator (FDR) Humio/LogScale with Falcon telemetry

Required Tables

ProcessRollup2 event stream (#event_simpleName=ProcessRollup2)

False Positives

Backup software installation or upgrade processes that run sc.exe or reg.exe queries against their own registry keys and services as part of pre-flight checks
Help desk and remote support tools executing tasklist or wmic queries to diagnose backup agent connectivity issues on end-user systems
Penetration testing or red team exercises using documented TTPs such as Get-DataInfo.ps1 or wmic product enumeration in authorized assessment scopes

Last updated: 2026-04-20 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1518.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Backup Software Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections