T1518.002 IBM QRadar · QRadar

Detect Backup Software Discovery in IBM QRadar

Adversaries may attempt to get a listing of backup software or configurations installed on a system. This discovery technique is commonly performed as pre-ransomware reconnaissance to identify backup solutions (Veeam, Acronis, Backup Exec, Commvault, Windows Server Backup) so attackers can disable, destroy, or encrypt them before deploying ransomware payloads. Methods include registry queries (reg query), process enumeration (tasklist, wmic), service enumeration (sc query, net start), directory listings, and PowerShell-based enumeration scripts such as the Get-DataInfo.ps1 script used by Wizard Spider (FIN12).

MITRE ATT&CK

Tactic
Discovery
Technique
T1518 Software Discovery
Sub-technique
T1518.002 Backup Software Discovery
Canonical reference
https://attack.mitre.org/techniques/T1518/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "User",
  CATEGORYNAME(category) AS "Event Category",
  QIDNAME(qid) AS "Event Name",
  "ProcessPath" AS "Process",
  "CommandLine" AS "Command Line",
  "ParentProcessPath" AS "Parent Process",
  CASE
    WHEN LOWER("ProcessPath") LIKE '%reg.exe' THEN 'Registry Query'
    WHEN LOWER("ProcessPath") LIKE '%sc.exe' THEN 'Service Control Query'
    WHEN LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe' THEN 'Net Service Enumeration'
    WHEN LOWER("ProcessPath") LIKE '%wmic.exe' THEN 'WMI Query'
    WHEN LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe' THEN 'PowerShell Enumeration'
    WHEN LOWER("ProcessPath") LIKE '%tasklist.exe' THEN 'Process List Enumeration'
    WHEN LOWER("ProcessPath") LIKE '%cmd.exe' THEN 'Directory Listing'
    ELSE 'Other'
  END AS "Discovery Method"
FROM events
WHERE
  (
    (
      LOWER("ProcessPath") LIKE '%reg.exe'
      AND LOWER("CommandLine") LIKE '%query%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%commvault%' OR LOWER("CommandLine") LIKE '%arcserve%'
        OR LOWER("CommandLine") LIKE '%paragon%' OR LOWER("CommandLine") LIKE '%cobian%'
        OR LOWER("CommandLine") LIKE '%backupassist%' OR LOWER("CommandLine") LIKE '%windowsbackup%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%sc.exe'
      AND LOWER("CommandLine") LIKE '%query%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%wbengine%'
        OR LOWER("CommandLine") LIKE '%sdrsvc%'
      )
    )
    OR (
      (LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe')
      AND LOWER("CommandLine") LIKE '%start%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%carbonite%'
        OR LOWER("CommandLine") LIKE '%wbengine%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%wmic.exe'
      AND (LOWER("CommandLine") LIKE '%product%' OR LOWER("CommandLine") LIKE '%process%' OR LOWER("CommandLine") LIKE '%service%')
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%carbonite%'
        OR LOWER("CommandLine") LIKE '%crashplan%' OR LOWER("CommandLine") LIKE '%barracuda%'
        OR LOWER("CommandLine") LIKE '%datto%' OR LOWER("CommandLine") LIKE '%zerto%'
        OR LOWER("CommandLine") LIKE '%veritas%' OR LOWER("CommandLine") LIKE '%wbadmin%'
        OR LOWER("CommandLine") LIKE '%ntbackup%'
      )
    )
    OR (
      (LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe')
      AND (
        LOWER("CommandLine") LIKE '%get-datainfo%' OR LOWER("CommandLine") LIKE '%get-service%'
        OR LOWER("CommandLine") LIKE '%get-itemproperty%' OR LOWER("CommandLine") LIKE '%get-wmiobject%'
        OR LOWER("CommandLine") LIKE '%get-ciminstance%'
      )
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%carbonite%' OR LOWER("CommandLine") LIKE '%crashplan%'
        OR LOWER("CommandLine") LIKE '%barracuda%' OR LOWER("CommandLine") LIKE '%datto%'
        OR LOWER("CommandLine") LIKE '%zerto%' OR LOWER("CommandLine") LIKE '%veritas%'
        OR LOWER("CommandLine") LIKE '%wbadmin%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%tasklist.exe'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%carbonite%' OR LOWER("CommandLine") LIKE '%crashplan%'
        OR LOWER("CommandLine") LIKE '%barracuda%'
      )
    )
    OR (
      LOWER("ProcessPath") LIKE '%cmd.exe'
      AND LOWER("CommandLine") LIKE '%dir%'
      AND (
        LOWER("CommandLine") LIKE '%veeam%' OR LOWER("CommandLine") LIKE '%acronis%'
        OR LOWER("CommandLine") LIKE '%backup%' OR LOWER("CommandLine") LIKE '%commvault%'
        OR LOWER("CommandLine") LIKE '%arcserve%' OR LOWER("CommandLine") LIKE '%carbonite%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC
high severity medium confidence

Detects backup software discovery (T1518.002) in IBM QRadar by querying normalized process creation events from Windows Security (EventID 4688) and Sysmon (EventID 1) log sources. Matches process execution patterns across seven discovery methods — registry query, service control query, net service enumeration, WMI query, PowerShell enumeration, process list enumeration, and directory listing — all targeting known backup software product names. Relies on QRadar DSM-parsed custom event properties ProcessPath and CommandLine extracted from Windows log sources; verify custom property names match your deployment's DSM configuration.

Data Sources

Windows Security Event Log (EventID 4688)Microsoft Sysmon (EventID 1)Windows Event Collector

Required Tables

events

False Positives & Tuning

  • Authorized IT operations personnel querying backup service status during maintenance windows or change management activities
  • Enterprise backup agent self-discovery processes where the backup software itself enumerates running services or registry configuration at startup
  • Vulnerability management platforms performing credentialed Windows assessments that enumerate all installed software via WMI product queries
Download portable Sigma rule (.yml)

Other platforms for T1518.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Registry Query for Veeam and Acronis Backup Software

    Expected signal: Sysmon Event ID 1: Four Process Create events with Image=reg.exe, CommandLine containing 'query' and 'Veeam' or 'Acronis'. Security Event ID 4688 (if command line auditing is enabled) with same details. If registry Object Access auditing is enabled, Event ID 4663 fires for each registry key read attempt.

  2. Test 2PowerShell WMI Backup Software Enumeration via Win32_Product

    Expected signal: Sysmon Event ID 1: Two Process Create events with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Product' with backup-related filter terms, and 'Get-Service' with backup terms. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI activity logged in Microsoft-Windows-WMI-Activity/Operational.

  3. Test 3Service Control Enumeration of Backup Services

    Expected signal: Sysmon Event ID 1: Six Process Create events with Image=sc.exe and CommandLine containing 'query' followed by the backup service name. Security Event ID 4688 for each sc.exe execution if command line auditing is enabled. Note: service status queries do not require elevated privileges and will run as standard user.

  4. Test 4Tasklist and Net Start Backup Process Discovery

    Expected signal: Sysmon Event ID 1: Process Create events for tasklist.exe and net.exe (or net1.exe), with findstr.exe child processes containing backup-related search terms in command line. Security Event ID 4688 for each process if command line auditing enabled.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1518.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1518Software Discovery

Related Sub-techniques

T1518.001Security Software Discovery

Related Techniques

T1518Software DiscoveryT1518.001Security Software DiscoveryT1082System Information DiscoveryT1083File and Directory DiscoveryT1057Process DiscoveryT1012Query RegistryT1490Inhibit System RecoveryT1485Data DestructionT1486Data Encrypted for ImpactT1059.001PowerShell

Same Tactic: Discovery

Popular Detections