Detect Software Discovery in Google Chronicle
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1518 Software Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1518/
YARA-L Detection Query
rule t1518_software_discovery {
meta:
author = "df00tech"
description = "Detects software discovery activity via WMI, registry, PowerShell, and cross-platform package manager enumeration (MITRE ATT&CK T1518)"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "T1518"
severity = "MEDIUM"
priority = "MEDIUM"
created = "2026-04-21"
platforms = "Windows, Linux, macOS"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
$e.principal.process.file.full_path = $parent_path
$e.target.process.file.full_path = $proc_path
$e.target.process.command_line = $cmdline
// Match software discovery patterns across tools
(
// wmic.exe product enumeration
(
re.regex($proc_path, `(?i).*\\wmic\.exe$`) and
(
re.regex($cmdline, `(?i)product\s+(get|list|where)`) or
strings.contains(strings.to_lower($cmdline), "win32_product")
)
) or
// reg.exe targeting Uninstall keys
(
re.regex($proc_path, `(?i).*\\reg\.exe$`) and
strings.contains(strings.to_lower($cmdline), "uninstall")
) or
// PowerShell software discovery
(
re.regex($proc_path, `(?i).*(powershell|pwsh)\.exe$`) and
(
strings.contains(strings.to_lower($cmdline), "get-package") or
strings.contains(strings.to_lower($cmdline), "win32_product") or
strings.contains(strings.to_lower($cmdline), "win32_installedwin32program") or
strings.contains(strings.to_lower($cmdline), "get-wmiobject") or
strings.contains(strings.to_lower($cmdline), "get-ciminstance") or
re.regex($cmdline, `(?i)currentversion\\uninstall`) or
strings.contains(strings.to_lower($cmdline), "installedprogramframework")
)
) or
// Linux/macOS package manager enumeration via shell
(
re.regex($proc_path, `(?i).*(bash|/sh|zsh)$`) and
(
strings.contains($cmdline, "dpkg -l") or
strings.contains($cmdline, "dpkg --list") or
re.regex($cmdline, `rpm -q[a]?\s`) or
strings.contains($cmdline, "snap list") or
strings.contains($cmdline, "brew list") or
strings.contains($cmdline, "apt list") or
strings.contains($cmdline, "yum list installed") or
strings.contains($cmdline, "dnf list installed")
)
)
)
// Exclude legitimate system management parent processes running as SYSTEM
not (
re.regex($parent_path, `(?i).*(msiexec|trustedinstaller|svchost|ccmexec)\.exe$`) and
re.regex($e.principal.user.userid, `(?i)(system|nt authority|local service)`)
)
match:
$hostname over 5m
outcome:
$risk_score = max(
if(
re.regex($parent_path, `(?i).*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe$`) and
(
strings.contains(strings.to_lower($cmdline), "win32_product") or
strings.contains(strings.to_lower($cmdline), "product get")
), 3
) +
if(
re.regex($parent_path, `(?i).*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe$`), 2
) +
if(
re.regex($proc_path, `(?i).*\\wmic\.exe$`), 1
)
)
$discovery_count = count($e.target.process.pid)
$target_process = array_distinct($proc_path)
$parent_process = array_distinct($parent_path)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1518 Software Discovery through WMI product enumeration, registry Uninstall key queries, PowerShell software cmdlets, and Linux/macOS package manager invocations. Uses UDM process launch events with regex matching on process paths and command lines. Outcome block computes risk score based on parent process context.
Data Sources
Required Tables
False Positives & Tuning
- Software asset management and ITAM tools (Flexera, Snow Software, ServiceNow Discovery) that rely on WMI or PowerShell to enumerate installed software across managed endpoints will generate high-volume true-positive-like alerts
- Automated vulnerability scanning solutions that use WMI or command-line interfaces for credentialed software enumeration as part of patch compliance checks
- macOS system administration and MDM enrollment workflows (Jamf, Mosyle) that invoke brew list or system_profiler during device enrollment or health checks
Other platforms for T1518
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMIC Product Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).
- Test 2Registry Query for Installed Software (reg.exe)
Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.
- Test 3PowerShell Software Discovery via Get-Package
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.
- Test 4Linux Package Enumeration via dpkg and rpm
Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.
References (10)
- https://attack.mitre.org/techniques/T1518/
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/win32-product
- https://learn.microsoft.com/en-us/powershell/module/packagemanagement/get-package
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://www.mandiant.com/resources/blog/unc3890-targets-israel
- https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-banking-malware/
- https://unit42.paloaltonetworks.com/siloscape/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.