Adversary spawns a process or script to enumerate installed software using WMI, registry, or PowerShell, potentially followed by additional discovery or evasion behavior.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Command Execution (DC0064) | WinEventLog:PowerShell | Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets |
| Field | Description |
|---|---|
| TimeWindow | Detection may be scoped to multiple discovery commands within a short timeframe. |
| ParentProcess | Tuning based on whether discovery activity stems from suspicious versus approved management tools. |
Adversary invokes 'dpkg -l', 'rpm -qa', or other package managers via shell or script to enumerate installed software.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | Execution of dpkg, rpm, or other package manager with list flag |
| Command Execution (DC0064) | linux:shell | Manual invocation of software enumeration commands via interactive shell |
| Field | Description |
|---|---|
| ScriptName | Path to the wrapper script that invokes enumeration commands. |
| TTYContext | Scope detection to interactive vs. background shell contexts. |
Adversary runs 'system_profiler SPApplicationsDataType' or queries plist files to enumerate software via Terminal or scripts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of system_profiler or osascript invoking enumeration |
| Command Execution (DC0064) | auditd:SYSCALL | Command line arguments including SPApplicationsDataType |
| Field | Description |
|---|---|
| AppScope | Whether enumeration targets user apps or system apps. |
| ProcessGroup | Parent process or scripting environment (e.g., Python, osascript). |
Adversary uses cloud-native APIs or CLI (e.g., AWS Systems Manager, Azure Resource Graph) to list installed software on cloud workloads.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | AWS:CloudTrail | ssm:ListInventoryEntries |
| Command Execution (DC0064) | AWS:CloudTrail | ssm:GetCommandInvocation |
| Field | Description |
|---|---|
| UserAgent | Differentiate access from automated scripts vs. authorized console. |
| InventoryType | May focus on Application or Platform inventory only. |
Adversary uses 'esxcli software vib list' to enumerate installed VIBs, drivers, and modules.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:shell | esxcli software vib list |
| Application Log Content (DC0038) | esxi:hostd | Host daemon command log entries related to vib enumeration |
| Field | Description |
|---|---|
| HostAccessMode | Detection may vary based on whether enumeration is local or remote. |
| ScriptChain | Presence of enumeration in broader scripted sequence. |