title: Backup Software Discovery (T1518.002)
id: df00tech-t1518-002
status: experimental
description: "Adversaries may attempt to get a listing of backup software or configurations installed on a system. This discovery technique is commonly performed as pre-ransomware reconnaissance to identify backup solutions (Veeam, Acronis, Backup Exec, Commvault, Windows Server Backup) so attackers can disable, destroy, or encrypt them before deploying ransomware payloads. Methods include registry queries (reg query), process enumeration (tasklist, wmic), service enumeration (sc query, net start), directory listings, and PowerShell-based enumeration scripts such as the Get-DataInfo.ps1 script used by Wizard Spider (FIN12)."
references:
  - https://attack.mitre.org/techniques/T1518/002/
  - https://df00tech.com/detections/T1518.002
author: df00tech
date: 2026/04/20
tags:
  - attack.t1518.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Backup administrators running legitimate inventory or health-check scripts to verify backup agent status across endpoints
  - "IT asset management tools (Lansweeper, PDQ Inventory, Snipe-IT) that enumerate installed software and services during scheduled discovery scans"
  - "Monitoring agents (Zabbix, PRTG, SolarWinds) checking backup service health and process status as part of regular infrastructure monitoring"
  - "Backup software itself performing self-checks or compatibility validation during installation, upgrade, or scheduled maintenance windows"
level: high