Esc
Software Discovery - T1518
(ATT&CK® Technique)
Definition
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1518["Software Discovery"] --> |may-access| KernelProcessTable["Kernel Process Table"]; class T1518 OffensiveTechniqueNode;
class KernelProcessTable ArtifactNode; click KernelProcessTable href "/dao/artifact/d3f:KernelProcessTable";
click T1518 href "/offensive-technique/attack/T1518/"; click KernelProcessTable href "/dao/artifact/d3f:KernelProcessTable"; T1518["Software Discovery"] --> |may-access| FileSystemMetadata["File System Metadata"]; class T1518 OffensiveTechniqueNode;
class FileSystemMetadata ArtifactNode; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata";
click T1518 href "/offensive-technique/attack/T1518/"; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata"; T1518["Software Discovery"] --> |may-invoke| GetRunningProcesses["Get Running Processes"]; class T1518 OffensiveTechniqueNode;
class GetRunningProcesses ArtifactNode; click GetRunningProcesses href "/dao/artifact/d3f:GetRunningProcesses";
click T1518 href "/offensive-technique/attack/T1518/"; click GetRunningProcesses href "/dao/artifact/d3f:GetRunningProcesses"; T1518["Software Discovery"] --> |may-access| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1518 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1518 href "/offensive-technique/attack/T1518/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1518["Software Discovery"] --> |may-access| SystemFirewallConfiguration["System Firewall Configuration"]; class T1518 OffensiveTechniqueNode;
class SystemFirewallConfiguration ArtifactNode; click SystemFirewallConfiguration href "/dao/artifact/d3f:SystemFirewallConfiguration";
click T1518 href "/offensive-technique/attack/T1518/"; click SystemFirewallConfiguration href "/dao/artifact/d3f:SystemFirewallConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1518["Software Discovery"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemFirewallConfiguration["System Firewall Configuration"];
class RestoreConfiguration DefensiveTechniqueNode;
class SystemFirewallConfiguration ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | GetRunningProcesses["Get Running Processes"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1518["Software Discovery"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class GetRunningProcesses ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallFiltering["System Call Filtering"] -->
| filters | GetRunningProcesses["Get Running Processes"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1518["Software Discovery"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class GetRunningProcesses ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";