title: Software Discovery (T1518)
id: df00tech-t1518
status: experimental
description: "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries use this information during automated discovery to shape follow-on behaviors — including whether to fully infect the target, which vulnerabilities to exploit for privilege escalation, or which security tools to evade. Common techniques include querying the Windows Registry uninstall keys, WMI Win32_Product class, PowerShell Get-Package cmdlet, and command-line tools such as wmic and reg. On Linux and macOS, adversaries use package managers (dpkg, rpm, brew) and filesystem enumeration of application directories."
references:
  - https://attack.mitre.org/techniques/T1518/
  - https://df00tech.com/detections/T1518
author: df00tech
date: 2026/04/21
tags:
  - attack.t1518
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software inventory agents (SCCM, Tanium, Qualys, Tenable, ServiceNow Discovery) that regularly enumerate installed software for asset management and vulnerability scanning"
  - System administrators running wmic product get or reg query manually during troubleshooting or software audits
  - "PowerShell Desired State Configuration (DSC) and automation scripts (Ansible, Chef, Puppet) querying installed packages during compliance checks"
  - Software installers and uninstallers that read Uninstall registry keys to check for existing versions before installation
  - "Endpoint Detection & Response (EDR) agents that perform software inventory as part of their telemetry collection"
level: low