Description
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Such software may be deployed widely across the environment for configuration management or security reasons, such as Software Deployment Tools, and may allow adversaries broad access to infect devices or move laterally.
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.
Platforms
Sub-Techniques (2)
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has queried the Registry on compromised systems for information on installed software.(Citation:... |
| G0124 | Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a script to detect installed software on targeted systems.(Citation: ESET ForSSHe December 2... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has enumerated installed software on compromised systems.(Citation: Symantec Inception Framework Ma... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used tools to enumerate software installed on an infected host.(Citation: Trend Micro Tick ... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used malware to identify installed software.(Citation: BlackBerry Bahamut) |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used a PowerShell backdoor to check for Skype connectivity on the target machine.(Citation: Tr... |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has collected browser information from a compromised host.(Citation: MalwareBytes SideCopy Dec 2021) |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to enumerate software installed on an infected host.(Citation: ATT Sidewinder Janua... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has searched the victim system for the <code>InstallUtil.exe</code> program and its version.(Ci... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has enumerated programs installed on an infected machine.(Citation: Kaspersky Lyceum October 2021) |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081)'s backdoor could list the infected system's installed software.(Citation: TrendMicro Tropic Tr... |
Associated Software (38)
| ID | Name | Type | Context |
|---|---|---|---|
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has searched the compromised system for banking applications.(Citation: FireEye Metamorfo Apr 201... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) uses <code>ps aux</code> with the <code>grep</code> command to enumerate common browsers and system ... |
| S0623 | Siloscape | Malware | [Siloscape](https://attack.mitre.org/software/S0623) searches for the kubectl binary.(Citation: Unit 42 Siloscape Jun 2021) |
| S0674 | CharmPower | Malware | [CharmPower](https://attack.mitre.org/software/S0674) can list the installed applications on a compromised host.(Citation: Check Point APT35 CharmPowe... |
| S0445 | ShimRatReporter | Tool | [ShimRatReporter](https://attack.mitre.org/software/S0445) gathered a list of installed software on the infected host.(Citation: FOX-IT May 2016 Mofan... |
| S0062 | DustySky | Malware | [DustySky](https://attack.mitre.org/software/S0062) lists all installed software for the infected machine.(Citation: Kaspersky MoleRATs April 2019) |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) has the ability to search systems for installed applications.(Citation: Kandji Cuckoo April... |
| S1042 | SUGARDUMP | Malware | [SUGARDUMP](https://attack.mitre.org/software/S1042) can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a c... |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) can check the victim's default browser to determine which process to inject its communications modul... |
| S0154 | Cobalt Strike | Malware | The [Cobalt Strike](https://attack.mitre.org/software/S0154) System Profiler can discover applications through the browser and identify the version of... |
| S0384 | Dridex | Malware | [Dridex](https://attack.mitre.org/software/S0384) has collected a list of installed software on the system.(Citation: Checkpoint Dridex Jan 2021) |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can list installed software on compromised systems.(Citation: ESET Turla Lunar toolset May 2024) |
| S0646 | SpicyOmelette | Malware | [SpicyOmelette](https://attack.mitre.org/software/S0646) can enumerate running software on a targeted system.(Citation: Secureworks GOLD KINGSWOOD Sep... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) variants use COM objects to enumerate installed applications from the "AppsFolder" on victim ... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has gathered installed programs and running processes.(Citation: Zscaler ContagiousIntervie... |
| S0229 | Orz | Malware | [Orz](https://attack.mitre.org/software/S0229) can gather the victim's Internet Explorer version.(Citation: Proofpoint Leviathan Oct 2017) |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can query the Registry for installed applications.(Citation: Cybereason Bazar July 2020) |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify the Internet Explorer (IE) version on an infected host.(Citation: Kasp... |
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) can list PHP server configuration details.(Citation: ANSSI Sandworm January 2021) |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) has the ability to enumerate what browser is being used as well as version information for Safari.... |
Frequently Asked Questions
What is T1518 (Software Discovery)?
T1518 is a MITRE ATT&CK technique named 'Software Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https...
How can T1518 be detected?
Detection of T1518 (Software Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1518?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1518?
Known threat groups using T1518 include: Volt Typhoon, Windigo, Inception, BRONZE BUTLER, Windshift, MuddyWater, SideCopy, Sidewinder.