title: Detected Windows Software Discovery
id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
    - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
      type: derived
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/16
modified: 2021/09/21
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
    - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
tags:
    - attack.discovery
    - attack.t1518
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'    # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
        CommandLine|contains|all:
            - 'query'
            - '\software\'
            - '/v'
            - 'svcversion'
    condition: selection
level: medium
falsepositives:
    - Legitimate administration activities