T1518 IBM QRadar · QRadar

Detect Software Discovery in IBM QRadar

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1518 Software Discovery
Canonical reference
https://attack.mitre.org/techniques/T1518/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "ProcessName",
  "CommandLine",
  "ParentProcessName",
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN "CommandLine" ILIKE '%Win32_Product%' OR "CommandLine" ILIKE '%product get%' OR "CommandLine" ILIKE '%product list%' THEN 'WMI_Software_Enum'
    WHEN "CommandLine" ILIKE '%CurrentVersion\Uninstall%' OR "CommandLine" ILIKE '%Uninstall%' AND "ProcessName" ILIKE '%reg.exe%' THEN 'Registry_Uninstall_Query'
    WHEN "CommandLine" ILIKE '%Get-Package%' OR "CommandLine" ILIKE '%Win32_InstalledWin32Program%' OR "CommandLine" ILIKE '%InstalledProgramFramework%' THEN 'PS_GetPackage'
    WHEN "CommandLine" ILIKE '%dpkg%' OR "CommandLine" ILIKE '%rpm -q%' OR "CommandLine" ILIKE '%snap list%' OR "CommandLine" ILIKE '%brew list%' OR "CommandLine" ILIKE '%yum list%' OR "CommandLine" ILIKE '%apt list%' OR "CommandLine" ILIKE '%dnf list%' THEN 'PackageManager_Enum'
    ELSE 'Generic_Software_Discovery'
  END AS DiscoveryType,
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%powershell.exe%' OR LOWER("ParentProcessName") LIKE '%pwsh.exe%'
      OR LOWER("ParentProcessName") LIKE '%wscript.exe%' OR LOWER("ParentProcessName") LIKE '%cscript.exe%'
      OR LOWER("ParentProcessName") LIKE '%mshta.exe%' OR LOWER("ParentProcessName") LIKE '%rundll32.exe%'
      OR LOWER("ParentProcessName") LIKE '%regsvr32.exe%' THEN 3
    WHEN LOWER("ProcessName") LIKE '%wmic.exe%' THEN 2
    ELSE 1
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'LinuxAuthLog', 'Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    -- wmic product enumeration
    (LOWER("ProcessName") LIKE '%wmic.exe%' AND (
      LOWER("CommandLine") LIKE '%product get%' OR
      LOWER("CommandLine") LIKE '%product list%' OR
      LOWER("CommandLine") LIKE '%product where%' OR
      LOWER("CommandLine") LIKE '%win32_product%'
    ))
    -- reg query uninstall
    OR (LOWER("ProcessName") LIKE '%reg.exe%' AND LOWER("CommandLine") LIKE '%uninstall%')
    -- PowerShell software discovery
    OR ((LOWER("ProcessName") LIKE '%powershell.exe%' OR LOWER("ProcessName") LIKE '%pwsh.exe%') AND (
      LOWER("CommandLine") LIKE '%get-package%' OR
      LOWER("CommandLine") LIKE '%win32_product%' OR
      LOWER("CommandLine") LIKE '%win32_installedwin32program%' OR
      LOWER("CommandLine") LIKE '%get-wmiobject%' OR
      LOWER("CommandLine") LIKE '%get-ciminstance%' OR
      LOWER("CommandLine") LIKE '%currentversion\uninstall%' OR
      LOWER("CommandLine") LIKE '%installedprogramframework%'
    ))
    -- Linux/macOS package manager enumeration
    OR ((LOWER("ProcessName") LIKE '%bash%' OR LOWER("ProcessName") LIKE '%/sh%' OR LOWER("ProcessName") LIKE '%zsh%') AND (
      LOWER("CommandLine") LIKE '%dpkg -l%' OR
      LOWER("CommandLine") LIKE '%dpkg --list%' OR
      LOWER("CommandLine") LIKE '%rpm -qa%' OR
      LOWER("CommandLine") LIKE '%snap list%' OR
      LOWER("CommandLine") LIKE '%brew list%' OR
      LOWER("CommandLine") LIKE '%apt list%' OR
      LOWER("CommandLine") LIKE '%yum list installed%' OR
      LOWER("CommandLine") LIKE '%dnf list installed%'
    ))
  )
  AND NOT (
    (LOWER("ParentProcessName") LIKE '%msiexec.exe%' OR LOWER("ParentProcessName") LIKE '%trustedinstaller.exe%' OR LOWER("ParentProcessName") LIKE '%ccmexec.exe%')
    AND (LOWER(username) LIKE '%system%' OR LOWER(username) LIKE '%nt authority%')
  )
ORDER BY starttime DESC
medium severity high confidence

AQL query detecting software discovery activity through WMI, registry, PowerShell, and package manager enumeration. Correlates process execution events from Windows Security logs, Sysmon, and Linux audit logs. Assigns risk scores based on suspicious parent process inheritance indicative of post-exploitation.

Data Sources

Microsoft Windows Security Event LogSysmon Operational Log (via QRadar DSM)LinuxAuthLog / Auditd

Required Tables

events

False Positives & Tuning

  • Endpoint management platforms (SCCM, BigFix, ManageEngine) perform scheduled WMI-based software inventory that will match WMI enumeration patterns during discovery cycles
  • Security compliance scanning tools (Nessus, Qualys, Rapid7) execute reg.exe and wmic.exe queries against Uninstall keys during credentialed vulnerability assessments
  • Linux build and CI/CD pipelines frequently enumerate installed packages via dpkg or rpm during dependency resolution and environment validation stages
Download portable Sigma rule (.yml)

Other platforms for T1518

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMIC Product Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Registry Query for Installed Software (reg.exe)

    Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.

  3. Test 3PowerShell Software Discovery via Get-Package

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.

  4. Test 4Linux Package Enumeration via dpkg and rpm

    Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1518.001Security Software DiscoveryT1518.002Backup Software DiscoveryT1082System Information DiscoveryT1007System Service DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1068Exploitation for Privilege EscalationT1592.002SoftwareT1047Windows Management Instrumentation

Same Tactic: Discovery

Popular Detections