T1518 Splunk · SPL

Detect Software Discovery in Splunk

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1518 Software Discovery
Canonical reference
https://attack.mitre.org/techniques/T1518/

SPL Detection Query

Splunk (SPL)
spl 
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (Image="*\\wmic.exe" (CommandLine="*product get*" OR CommandLine="*product list*" OR CommandLine="*Win32_Product*"))
    OR (Image="*\\reg.exe" CommandLine="*Uninstall*")
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") (CommandLine="*Get-Package*" OR CommandLine="*Win32_Product*" OR CommandLine="*Win32_InstalledWin32Program*" OR CommandLine="*Get-WmiObject*" OR CommandLine="*Get-CimInstance*" OR CommandLine="*CurrentVersion\\Uninstall*"))
    OR ((Image="*\\bash" OR Image="*\\sh" OR Image="*\\zsh") (CommandLine="*dpkg -l*" OR CommandLine="*rpm -qa*" OR CommandLine="*snap list*" OR CommandLine="*brew list*" OR CommandLine="*apt list*" OR CommandLine="*yum list installed*"))
  )
)
OR
(
  index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  (
    (NewProcessName="*\\wmic.exe" (CommandLine="*product get*" OR CommandLine="*Win32_Product*"))
    OR (NewProcessName="*\\reg.exe" CommandLine="*Uninstall*")
    OR ((NewProcessName="*\\powershell.exe" OR NewProcessName="*\\pwsh.exe") (CommandLine="*Get-Package*" OR CommandLine="*Win32_Product*"))
  )
)
| eval ProcessImage=coalesce(Image, NewProcessName)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval CmdLine=coalesce(CommandLine, CommandLine)
| eval DiscoveryType=case(
    match(lower(CmdLine), "win32_product|product get|product list"), "WMI_Software_Enum",
    match(lower(CmdLine), "currentversion\\uninstall"), "Registry_Uninstall_Query",
    match(lower(CmdLine), "get-package"), "PS_GetPackage",
    match(lower(CmdLine), "dpkg|rpm -q|snap list|brew list|apt list|yum list"), "PackageManager_Enum",
    true(), "Generic_Software_Discovery"
  )
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)"), 1, 0)
| eval RiskScore=case(
    SuspiciousParent=1 AND DiscoveryType="WMI_Software_Enum", 3,
    SuspiciousParent=1, 2,
    DiscoveryType="WMI_Software_Enum", 2,
    true(), 1
  )
| where NOT (match(lower(ParentImage), "(msiexec\.exe|trustedinstaller\.exe|ccmexec\.exe|smss\.exe)") AND match(lower(User), "(system|nt authority)"))
| table _time, host, User, ProcessImage, CmdLine, ParentImage, ParentCommandLine, DiscoveryType, SuspiciousParent, RiskScore
| sort - _time
low severity medium confidence

Detects software discovery activity using Sysmon Event ID 1 (Process Creation) and Security Event ID 4688. Categorizes detections into discovery types (WMI enumeration, registry uninstall queries, PowerShell Get-Package, Linux/macOS package managers) and assigns risk scores based on whether the discovery tool was launched from a suspicious parent process. Filters out known-benign software management processes running as SYSTEM to reduce false positives from legitimate inventory agents.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Software inventory and vulnerability scanning agents (SCCM, Tanium, Qualys, Rapid7) running on schedule as SYSTEM
  • IT administrators running manual software audits using wmic or PowerShell Get-Package
  • Configuration management platforms (Ansible, Puppet, Chef) querying installed packages during playbook runs
  • Software packaging and deployment tools reading Uninstall registry keys during installation workflows
  • Patch management solutions enumerating installed software to determine applicable patches
Download portable Sigma rule (.yml)

Other platforms for T1518

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMIC Product Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Registry Query for Installed Software (reg.exe)

    Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.

  3. Test 3PowerShell Software Discovery via Get-Package

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.

  4. Test 4Linux Package Enumeration via dpkg and rpm

    Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1518.001Security Software DiscoveryT1518.002Backup Software DiscoveryT1082System Information DiscoveryT1007System Service DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1068Exploitation for Privilege EscalationT1592.002SoftwareT1047Windows Management Instrumentation

Same Tactic: Discovery

Popular Detections