The sub-techniques beta is now live! Read the release blog post for more info.

Software Discovery

Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

ID: T1518
Tactic: Discovery
Platform: Linux, macOS, Windows
Permissions Required: User, Administrator
Data Sources: Process command-line parameters, Process monitoring, File monitoring
Version: 1.0
Created: 16 September 2019
Last Modified: 27 September 2019

Procedure Examples

Name Description

Orz can gather the victim's Internet Explorer version.[1]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.