rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml

title: Detected Windows Software Discovery - PowerShell
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
    - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-12-02
tags:
    - attack.discovery
    - attack.t1518
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
            - 'get-itemProperty'
            - '\software\'
            - 'select-object'
            - 'format-table'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium
$frack113$ Update title (#3746 ) 2022-12-02 18:10:43 +01:00			`title: Detected Windows Software Discovery - PowerShell`
$frack113$ split global win_software_discovery.yml 2021-09-21 13:28:47 +02:00			`id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282`
$frack113$ Merge PR #4479 From @frack113 - Upgrade Rules Status 2023-10-17 14:35:26 +02:00			`status: test`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.`
Detected Windows Software Discovery 2020-10-16 20:44:08 +03:00			`references:`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`author: Nikita Nazarov, oscd.community`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2020-10-16`
			`modified: 2022-12-02`
Detected Windows Software Discovery 2020-10-16 20:44:08 +03:00			`tags:`
			`- attack.discovery`
			`- attack.t1518`
			`logsource:`
			`product: windows`
$frack113$ Fix category and EventID 2021-11-12 12:18:44 +01:00			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
Detected Windows Software Discovery 2020-10-16 20:44:08 +03:00			`detection:`
			`selection:`
Add missing definition fields and references 2022-07-07 19:13:01 +01:00			`ScriptBlockText\|contains\|all:`
			`# Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize`
			`- 'get-itemProperty'`
			`- '\software\'`
			`- 'select-object'`
			`- 'format-table'`
$frack113$ split global win_software_discovery.yml 2021-09-21 13:28:47 +02:00			`condition: selection`
			`falsepositives:`
$frack113$ Fix category and EventID 2021-11-12 12:18:44 +01:00			`- Legitimate administration activities`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`level: medium`