T1518 Elastic Security · Elastic

Detect Software Discovery in Elastic Security

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1518 Software Discovery
Canonical reference
https://attack.mitre.org/techniques/T1518/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, process.entity_id with maxspan=5s
[
  any where event.category == "process" and event.type == "start" and
  (
    (
      process.name : "wmic.exe" and
      process.command_line : ("*product get*", "*product list*", "*Win32_Product*", "*product where*")
    ) or
    (
      process.name : "reg.exe" and
      process.command_line : "*Uninstall*"
    ) or
    (
      process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : (
        "*Get-Package*", "*Win32_Product*", "*Win32_InstalledWin32Program*",
        "*Get-WmiObject*", "*Get-CimInstance*", "*CurrentVersion\\Uninstall*",
        "*InstalledProgramFramework*"
      )
    ) or
    (
      process.name : ("bash", "sh", "zsh") and
      process.command_line : (
        "*dpkg -l*", "*dpkg --list*", "*rpm -qa*", "*rpm -q *",
        "*snap list*", "*flatpak list*", "*brew list*",
        "*apt list*", "*yum list installed*", "*dnf list installed*"
      )
    )
  ) and
  not (
    process.parent.name : ("msiexec.exe", "trustedinstaller.exe", "svchost.exe") and
    user.name : ("SYSTEM", "NT AUTHORITY\\SYSTEM")
  )
]
| eval risk_score = case(
    process.parent.name : ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"), 3,
    process.name : "wmic.exe", 2,
    true, 1
  )
| sort @timestamp desc
medium severity high confidence

Detects software discovery activity via wmic, reg, PowerShell cmdlets, and cross-platform package managers. Covers both Windows registry-based enumeration and WMI-based software inventory queries. Risk scoring elevates events with suspicious parent processes indicative of post-exploitation context.

Data Sources

Elastic Endpoint SecurityWindows Event Logs (Sysmon via Elastic Agent)Auditbeat (Linux/macOS)

Required Tables

logs-endpoint.events.process-*logs-windows.sysmon_operational-*logs-system.security-*

False Positives & Tuning

  • IT asset management tools (SCCM, Ivanti, Tanium) routinely query installed software via WMI or registry for inventory purposes — these will trigger on legitimate scan cycles
  • Software deployment and patch management systems (Windows Update, third-party patching tools) may invoke wmic.exe or reg.exe against Uninstall keys during pre-flight compatibility checks
  • Developers and system administrators running PowerShell Get-Package or Get-CimInstance commands during troubleshooting or environment auditing, especially in DevOps pipelines
Download portable Sigma rule (.yml)

Other platforms for T1518

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMIC Product Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Registry Query for Installed Software (reg.exe)

    Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.

  3. Test 3PowerShell Software Discovery via Get-Package

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.

  4. Test 4Linux Package Enumeration via dpkg and rpm

    Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1518.001Security Software DiscoveryT1518.002Backup Software DiscoveryT1082System Information DiscoveryT1007System Service DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1068Exploitation for Privilege EscalationT1592.002SoftwareT1047Windows Management Instrumentation

Same Tactic: Discovery

Popular Detections