Find sigma rule

Attack: Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Such software may be deployed widely across the environment for configuration management or security reasons, such as Software Deployment Tools, and may allow adversaries broad access to infect devices or move laterally.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.

MITRE

Tactic

discovery

technique

T1518

Test : Find and Display Internet Explorer Browser Version

OS

windows

Description:

Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed.

Executor

command_prompt

Sigma Rule

proc_creation_win_reg_software_discovery.yml (id: e13f668e-7f95-443d-98d2-1816a7648a7b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test