title: Software (T1592.002) id: df00tech-t1592-002 status: experimental description: "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include types and versions on specific hosts, as well as the presence of additional components indicative of defensive protections such as antivirus solutions or SIEMs. Adversaries gather this information via active scanning (banner grabbing, port scanning, HTTP probing for version-revealing endpoints), phishing for information, or by compromising websites to inject JavaScript fingerprinting scripts that collect visitor browser and plugin data. Additionally, adversaries analyze metadata from victim-owned files (PDFs, Office documents, images) hosted on public websites to extract software version information, which can be cross-referenced with known CVEs to identify exploitable attack vectors." references: - https://attack.mitre.org/techniques/T1592/002/ - https://df00tech.com/detections/T1592.002 author: df00tech date: 2026/03/13 tags: - attack.t1592.002 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: network_connection product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - Legitimate vulnerability scanners operated by internal security teams or authorized third-party penetration testers - "Commercial security rating services (SecurityScorecard, BitSight, Bitsight) that continuously probe public-facing infrastructure" - "Uptime monitoring and synthetic transaction services (Pingdom, UptimeRobot, Datadog Synthetics) using identifiable user-agents" - "Search engine crawlers (Googlebot, Bingbot) accessing robots.txt, sitemap.xml, and publicly documented paths" - Web application testing during SDLC pipelines where developers run automated scans in staging environments mirroring production level: low