Detect Software Discovery in Microsoft Sentinel
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1518 Software Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1518/
KQL Detection Query
let SoftwareDiscoveryPatterns = dynamic([
// Registry-based enumeration
"\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
// WMI-based enumeration
"Win32_Product",
"Win32_InstalledWin32Program",
"Win32_InstalledProgramFramework",
// PowerShell cmdlets
"Get-Package",
"Get-WmiObject",
"Get-CimInstance",
// WMIC commands
"product get",
"product list"
]);
let SuspiciousParents = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"
]);
// Branch 1: Registry queries targeting software inventory keys
let RegistryBranch = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "CurrentVersion\\Uninstall"
| where ActionType in ("RegistryKeyValueQueried", "RegistryQueryKey")
| extend DetectionSource = "Registry"
| project Timestamp, DeviceName, AccountName, ActionType,
RegistryKey, RegistryValueName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DetectionSource;
// Branch 2: Process-based software discovery (wmic, reg, PowerShell)
let ProcessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
// wmic product enumeration
(FileName =~ "wmic.exe" and ProcessCommandLine has_any ("product get", "product list", "product where", "Win32_Product"))
// reg query against uninstall keys
or (FileName =~ "reg.exe" and ProcessCommandLine has "Uninstall")
// PowerShell software discovery cmdlets
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (
"Get-Package", "Win32_Product", "Win32_InstalledWin32Program",
"Get-WmiObject", "Get-CimInstance", "CurrentVersion\\Uninstall",
"InstalledProgramFramework"
))
// rpm/dpkg/brew via bash (cross-platform endpoints)
or (FileName in~ ("bash", "sh", "zsh") and ProcessCommandLine has_any (
"dpkg -l", "dpkg --list", "rpm -qa", "rpm -q",
"snap list", "flatpak list", "brew list",
"apt list", "yum list installed", "dnf list installed"
))
)
| extend DetectionSource = "Process"
// Flag suspicious parent processes indicating post-exploitation context
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
// Exclude obvious system management processes
| where not (
InitiatingProcessFileName in~ ("msiexec.exe", "trustedinstaller.exe", "svchost.exe")
and AccountName in~ ("SYSTEM", "NT AUTHORITY\\SYSTEM")
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, SuspiciousParent, DetectionSource;
// Union and enrich
RegistryBranch
| union ProcessBranch
| extend RiskScore = case(
DetectionSource == "Registry" and InitiatingProcessFileName in~ (SuspiciousParents), 3,
DetectionSource == "Process" and SuspiciousParent == true, 3,
DetectionSource == "Process" and FileName =~ "wmic.exe", 2,
1
)
| sort by Timestamp descDetects software enumeration activity across two telemetry branches: (1) registry reads against HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall keys via DeviceRegistryEvents, and (2) process creation events in DeviceProcessEvents targeting wmic product enumeration, reg.exe Uninstall queries, PowerShell Get-Package/Get-WmiObject/Get-CimInstance Win32_Product calls, and Linux/macOS package manager invocations. A RiskScore field prioritizes events where discovery tools are launched from suspicious parent processes (PowerShell, cmd.exe, wscript.exe), indicating post-exploitation context rather than administrative activity.
Data Sources
Required Tables
False Positives & Tuning
- Software inventory agents (SCCM, Tanium, Qualys, Tenable, ServiceNow Discovery) that regularly enumerate installed software for asset management and vulnerability scanning
- System administrators running wmic product get or reg query manually during troubleshooting or software audits
- PowerShell Desired State Configuration (DSC) and automation scripts (Ansible, Chef, Puppet) querying installed packages during compliance checks
- Software installers and uninstallers that read Uninstall registry keys to check for existing versions before installation
- Endpoint Detection & Response (EDR) agents that perform software inventory as part of their telemetry collection
Other platforms for T1518
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMIC Product Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).
- Test 2Registry Query for Installed Software (reg.exe)
Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.
- Test 3PowerShell Software Discovery via Get-Package
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.
- Test 4Linux Package Enumeration via dpkg and rpm
Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.
References (10)
- https://attack.mitre.org/techniques/T1518/
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/win32-product
- https://learn.microsoft.com/en-us/powershell/module/packagemanagement/get-package
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://www.mandiant.com/resources/blog/unc3890-targets-israel
- https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-banking-malware/
- https://unit42.paloaltonetworks.com/siloscape/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.