diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md
index a4e99741..8402d23f 100644
--- a/atomics/T1518/T1518.md
+++ b/atomics/T1518/T1518.md
@@ -4,22 +4,37 @@
## Atomic Tests
-- [Atomic Test #1 - Find and Display Iinternet Explorer Browser Version](#atomic-test-1---find-and-display-iinternet-explorer-browser-version)
-
+- [Atomic Test #1 - Find and Display Iinternet Explorer Browser Version](#atomic-test-1---find-and-display-internet-explorer-browser-version)
+- [Atomic Test #2 - Find and Display Currently Installed Software](#atomic-test-2---applications-installed)
-## Atomic Test #1 - Find and Display Iinternet Explorer Browser Version
+## Atomic Test #1 - Find and Display Internet Explorer Browser Version
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
+#### Run it with `command_prompt`!
```
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
```
-
-
+
+
+## Atomic Test #2 - Applications Installed
+Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors. This test queries two registry keys in Windows known to have installation information for programs.
+
+References:
+https://blogs.technet.microsoft.com/heyscriptingguy/2011/11/13/use-powershell-toquickly-find-installed-software
+https://blogs.technet.microsoft.com/heyscriptingguy/2013/11/15/use-powershell-to-find-installed-software
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
+powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
+```
diff --git a/atomics/T1518/T1518.yaml b/atomics/T1518/T1518.yaml
index 29a2e277..dc653bfa 100644
--- a/atomics/T1518/T1518.yaml
+++ b/atomics/T1518/T1518.yaml
@@ -3,7 +3,7 @@ attack_technique: T1518
display_name: Software Discovery
atomic_tests:
-- name: Find and Display Iinternet Explorer Browser Version
+- name: Find and Display Internet Explorer Browser Version
description: |
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
@@ -16,3 +16,16 @@ atomic_tests:
command: | # these are the actaul attack commands, at least one command must be provided
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
+- name: Applications Installed
+ description: |
+ Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
+
+ supported_platforms:
+ - windows
+
+ executor:
+ name: command_prompt
+ elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
+ command: | # these are the actual attack commands, at least one command must be provided
+ POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
+ powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"