T1518 CrowdStrike LogScale · LogScale

Detect Software Discovery in CrowdStrike LogScale

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1518 Software Discovery
Canonical reference
https://attack.mitre.org/techniques/T1518/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1518 Software Discovery — CrowdStrike Falcon LogScale (CQL)
// Detects WMI, registry, PowerShell, and package manager software enumeration

#event_simpleName = ProcessRollup2
| FileName = /(?i)(wmic\.exe|reg\.exe|powershell\.exe|pwsh\.exe|bash|sh|zsh)/
| CommandLine = /(?i)(
    product\s+(get|list|where)
    |win32_product
    |win32_installedwin32program
    |installedprogramframework
    |currentversion\\uninstall
    |get-package
    |get-wmiobject
    |get-ciminstance
    |dpkg\s+-[l-]
    |dpkg\s+--list
    |rpm\s+-q[a]?
    |snap\s+list
    |brew\s+list
    |apt\s+list
    |yum\s+list\s+installed
    |dnf\s+list\s+installed
  )/

// Exclude legitimate system management processes running as SYSTEM
| !(
    ParentBaseFileName = /(?i)(msiexec\.exe|trustedinstaller\.exe|svchost\.exe|ccmexec\.exe)/
    AND UserName = /(?i)(system|nt authority|local service)/
  )

// Classify discovery type
| DiscoveryType := case {
    CommandLine = /(?i)(win32_product|product\s+get|product\s+list)/ => "WMI_Software_Enum";
    CommandLine = /(?i)(currentversion\\uninstall)/ => "Registry_Uninstall_Query";
    CommandLine = /(?i)(get-package|win32_installedwin32program|installedprogramframework)/ => "PS_GetPackage";
    CommandLine = /(?i)(dpkg|rpm\s+-q|snap\s+list|brew\s+list|apt\s+list|yum\s+list|dnf\s+list)/ => "PackageManager_Enum";
    * => "Generic_Software_Discovery"
  }

// Flag suspicious parent processes
| SuspiciousParent := ParentBaseFileName
    = /(?i)(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)/

// Risk scoring
| RiskScore := case {
    SuspiciousParent = true AND DiscoveryType = "WMI_Software_Enum" => 3;
    SuspiciousParent = true => 2;
    DiscoveryType = "WMI_Software_Enum" => 2;
    * => 1
  }

// Aggregate by host and process for analyst triage
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DiscoveryType, SuspiciousParent, RiskScore],
    function=[
      count(aid, as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(RiskScore, order=desc)
| table(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DiscoveryType, SuspiciousParent, RiskScore, EventCount, FirstSeen, LastSeen]
  )
medium severity high confidence

CrowdStrike Falcon LogScale detection for T1518 Software Discovery using ProcessRollup2 events. Matches wmic, reg, PowerShell, and shell-based package manager invocations via regex against FileName and CommandLine fields. Classifies discovery method, flags suspicious parent inheritance, and aggregates events per host for analyst efficiency.

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events)Falcon Data Replicator — Process telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • CrowdStrike Spotlight or third-party vulnerability management tools integrated with the Falcon platform may execute WMI queries for software inventory during assessment runs, matching the wmic and Win32_Product patterns
  • Group Policy-driven software compliance scripts executed via cmd.exe or PowerShell at logon or on schedule will regularly query registry Uninstall keys across the fleet
  • Developer or IT tooling installed on endpoints (Chocolatey, Homebrew on macOS, WSL with apt/dpkg) that self-updates or audits its package list through shell invocations during routine operations
Download portable Sigma rule (.yml)

Other platforms for T1518

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMIC Product Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Registry Query for Installed Software (reg.exe)

    Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.

  3. Test 3PowerShell Software Discovery via Get-Package

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.

  4. Test 4Linux Package Enumeration via dpkg and rpm

    Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1518.001Security Software DiscoveryT1518.002Backup Software DiscoveryT1082System Information DiscoveryT1007System Service DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1068Exploitation for Privilege EscalationT1592.002SoftwareT1047Windows Management Instrumentation

Same Tactic: Discovery

Popular Detections