Detect Software Discovery in Sumo Logic CSE
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1518 Software Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1518/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="linux/syslog")
| json auto
// Normalize process fields across Sysmon and Windows Security
| if (!isNull(Image), Image, NewProcessName) as ProcessImage
| if (!isNull(ParentImage), ParentImage, ParentProcessName) as ParentProcessImage
| if (!isNull(CommandLine), CommandLine, CommandLine) as CommandLine
| if (!isNull(User), User, SubjectUserName) as Username
| if (!isNull(Computer), Computer, host) as Hostname
// Filter to relevant events: Sysmon EID 1 or Windows Security EID 4688
| where (EventID = "1" AND _sourceCategory matches "*sysmon*")
OR (EventID = "4688" AND _sourceCategory matches "*security*")
OR _sourceCategory matches "*linux*syslog*"
// Core detection logic
| where (
// wmic product enumeration
(matches(lower(ProcessImage), ".*wmic\.exe$") AND (
contains(lower(CommandLine), "product get") OR
contains(lower(CommandLine), "product list") OR
contains(lower(CommandLine), "product where") OR
contains(lower(CommandLine), "win32_product")
))
// reg query against uninstall keys
OR (matches(lower(ProcessImage), ".*reg\.exe$") AND contains(lower(CommandLine), "uninstall"))
// PowerShell software discovery cmdlets
OR ((matches(lower(ProcessImage), ".*powershell\.exe$") OR matches(lower(ProcessImage), ".*pwsh\.exe$")) AND (
contains(lower(CommandLine), "get-package") OR
contains(lower(CommandLine), "win32_product") OR
contains(lower(CommandLine), "win32_installedwin32program") OR
contains(lower(CommandLine), "get-wmiobject") OR
contains(lower(CommandLine), "get-ciminstance") OR
contains(lower(CommandLine), "currentversion\\uninstall") OR
contains(lower(CommandLine), "installedprogramframework")
))
// Linux/macOS package manager enumeration
OR ((matches(lower(ProcessImage), ".*(bash|/sh|zsh)$")) AND (
contains(lower(CommandLine), "dpkg -l") OR
contains(lower(CommandLine), "dpkg --list") OR
contains(lower(CommandLine), "rpm -qa") OR
contains(lower(CommandLine), "snap list") OR
contains(lower(CommandLine), "brew list") OR
contains(lower(CommandLine), "apt list") OR
contains(lower(CommandLine), "yum list installed") OR
contains(lower(CommandLine), "dnf list installed")
))
)
// Exclusions: legitimate system management processes running as SYSTEM
| where NOT (
(matches(lower(ParentProcessImage), ".*(msiexec\.exe|trustedinstaller\.exe|ccmexec\.exe|svchost\.exe)$"))
AND (matches(lower(Username), ".*(system|nt authority).*"))
)
// Discovery type classification
| eval DiscoveryType = if(
matches(lower(CommandLine), "win32_product|product get|product list"), "WMI_Software_Enum",
if(contains(lower(CommandLine), "currentversion\\uninstall"), "Registry_Uninstall_Query",
if(contains(lower(CommandLine), "get-package"), "PS_GetPackage",
if(matches(lower(CommandLine), "dpkg|rpm -q|snap list|brew list|apt list|yum list|dnf list"), "PackageManager_Enum",
"Generic_Software_Discovery")))
)
// Suspicious parent flag
| eval SuspiciousParent = if(
matches(lower(ParentProcessImage), ".*(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe).*"),
1, 0
)
// Risk scoring
| eval RiskScore = if(SuspiciousParent = 1 AND DiscoveryType = "WMI_Software_Enum", 3,
if(SuspiciousParent = 1, 2,
if(DiscoveryType = "WMI_Software_Enum", 2, 1)))
| fields _messageTime, Hostname, Username, ProcessImage, CommandLine, ParentProcessImage, DiscoveryType, SuspiciousParent, RiskScore
| sort by _messageTime descSumo Logic detection for software discovery activity via WMI, registry, PowerShell, and package manager enumeration. Normalizes fields across Sysmon and Windows Security log sourcetypes. Classifies discovery method and scores risk based on parent process context to surface post-exploitation scenarios.
Data Sources
Required Tables
False Positives & Tuning
- Microsoft Configuration Manager (SCCM/MECM) hardware and software inventory agents execute WMI queries including Win32_Product on a schedule — high volume false positive during inventory collection windows
- PowerShell-based administrative scripts for license auditing, software compliance reporting, or asset management will trigger on Get-WmiObject and Get-CimInstance patterns
- Developer workstation environments where brew (macOS) or dpkg/apt (WSL2) package listings are executed during build environment setup or Docker image provisioning
Other platforms for T1518
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMIC Product Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'product get'. WMI Activity Event IDs 5857/5858/5859 in Microsoft-Windows-WMI-Activity/Operational. File creation event (Sysmon Event ID 11) for %TEMP%\software_inv.csv. Security Event ID 4688 (if command line auditing enabled).
- Test 2Registry Query for Installed Software (reg.exe)
Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe with CommandLine containing 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'. Registry access events (Sysmon Event ID 12/13) if registry monitoring is configured. Security Event ID 4688 for both reg.exe executions.
- Test 3PowerShell Software Discovery via Get-Package
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Package' and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with the full cmdlet. Sysmon Event ID 11 (File Create) for the CSV output in TEMP.
- Test 4Linux Package Enumeration via dpkg and rpm
Expected signal: Auditd EXECVE records for dpkg, rpm, snap, awk, and cat process invocations. Syslog entries if process accounting is enabled. On endpoints with Sysmon for Linux (sysmonforlinux): Event ID 1 process creation events for each command in the pipeline. File creation event for /tmp/dpkg_inv.txt.
References (10)
- https://attack.mitre.org/techniques/T1518/
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/win32-product
- https://learn.microsoft.com/en-us/powershell/module/packagemanagement/get-package
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://www.mandiant.com/resources/blog/unc3890-targets-israel
- https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-banking-malware/
- https://unit42.paloaltonetworks.com/siloscape/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1518 including response playbook, investigation guide, and atomic red team tests.