Software Discovery: Backup Software Discovery

Other sub-techniques of Software Discovery (2)

ID	Name
T1518.001	Security Software Discovery
T1518.002	Backup Software Discovery

Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact.

Commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.^[1]

ID: T1518.002

Sub-technique of: T1518

ⓘ

Tactic: Discovery

ⓘ

Platforms: Linux, Windows, macOS

Contributors: Florian Heigl

Version: 1.0

Created: 22 May 2025

Last Modified: 22 October 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G0102	Wizard Spider	Wizard Spider has utilized the PowerShell script `Get-DataInfo.ps1` to collect installed backup software information from a compromised machine.^[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID	Name	Analytic ID	Analytic Description
DET0088	Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)	AN0240	Defender observes execution of commands like `tasklist`, `sc query`, `reg query`, or PowerShell WMI/Registry queries targeting known backup products (e.g., Veeam, Acronis, CrashPlan). Behavior often includes parent-child lineage involving PowerShell or cmd.exe with discovery syntax, and enumeration of services, directories, or registry paths tied to backup software.
		AN0241	Defender observes use of CLI tools (`find`, `grep`, `ls`, `dpkg`, `rpm`, `systemctl`, `ps aux`) to discover backup agents or config files (e.g., rsnapshot, duplicity, veeam). This often includes command lines that recursively search `/etc/`, `/opt/`, or `/var/` directories for keywords like `backup`, and parent-child relationships involving shell or Python scripts.
		AN0242	Defender detects execution of `mdfind`, `launchctl`, or GUI-based enumeration (e.g., `/Applications/Time Machine.app`) along with command-line usage of `find`, `grep`, or `system_profiler` to identify installed backup tools like Time Machine, Carbon Copy Cloner, or Backblaze. Often triggered from Terminal sessions or within post-exploitation scripts.

References

Symantec Threat Hunter Team. (2023, April 19). Play Ransomware Group Using New Custom Data-Gathering Tools. Retrieved May 22, 2025.

Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.