Software

Information

• Name: Software

• ID: T1592.002

• Tactics:

• Technique:

Introduction

Software (T1592.002) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Gather Victim Host Information" (T1592). Attackers leverage this sub-technique to identify and gather detailed information about installed software, software versions, configurations, and dependencies on targeted systems. This information assists adversaries in planning subsequent exploitation, privilege escalation, lateral movement, or persistence strategies by identifying vulnerabilities or weaknesses related to specific software.

Deep Dive Into Technique

Attackers executing Software (T1592.002) typically seek to enumerate installed software packages, their versions, configurations, and associated vulnerabilities. Technical methods and mechanisms include:

• System Commands and Utilities:

  • Windows:

    • wmic product get name,version

    • Get-WmiObject -Class Win32_Product (PowerShell)

    • Querying registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

  • Linux/Unix:

    • dpkg -l or apt list --installed (Debian-based distributions)

    • rpm -qa (Red Hat-based distributions)

    • Checking /etc directories and configuration files

• Custom Scripts and Malware:

  • Scripts that automate software enumeration and reporting back to attacker-controlled servers.

  • Malware implants capable of scanning installed software, capturing configuration files, and transmitting data to command-and-control (C2) servers.

• Remote Access Tools:

  • Remote access Trojans (RATs) capable of executing commands remotely to gather software information.

  • Exploitation frameworks like Metasploit, Cobalt Strike, and Empire that include built-in modules for software enumeration.

• Exploitation of Management Tools:

  • Leveraging legitimate administrative tools or IT asset management software to extract detailed software inventories.

Attackers often correlate enumerated software data with known vulnerability databases (e.g., CVE databases, Exploit-DB) to identify exploitable vulnerabilities, outdated software, or misconfigurations.

When this Technique is Usually Used

Attackers commonly utilize Software (T1592.002) during various stages of the cyber kill chain, including:

• Reconnaissance and Initial Access:

  • Identifying vulnerable software to target initial exploitation.

  • Planning phishing or spear-phishing attacks tailored to software vulnerabilities.

• Execution and Privilege Escalation:

  • Determining installed software versions to exploit known vulnerabilities or escalate privileges.

• Lateral Movement:

  • Enumerating software on compromised hosts to identify potential pivot points or vulnerable services on adjacent systems.

• Persistence and Defense Evasion:

  • Identifying security software, antivirus solutions, or endpoint detection and response (EDR) agents to disable or evade detection.

  • Selecting software vulnerable to DLL hijacking or other persistence techniques.

• Exfiltration and Impact:

  • Understanding installed backup solutions or data management software to disrupt recovery operations during ransomware attacks.

How this Technique is Usually Detected

Organizations can detect Software (T1592.002) enumeration through multiple detection methods, tools, and indicators of compromise (IoCs):

• Endpoint Detection and Response (EDR) and Antivirus Solutions:

  • Monitoring suspicious execution of system enumeration commands (wmic, dpkg, rpm, PowerShell scripts).

  • Detecting abnormal access to registry keys related to installed software.

• System and Audit Logs:

  • Reviewing logs for unexpected execution of software enumeration commands.

  • Monitoring PowerShell logs for suspicious scripts querying installed software.

• Process and Command-Line Monitoring:

  • Identifying unusual command-line arguments or scripts designed to enumerate software information.

  • Detecting execution of enumeration utilities from unauthorized or unexpected user accounts or processes.

• Network Traffic Analysis:

  • Detecting outbound traffic containing software inventory data sent to unknown or suspicious external IP addresses or domains.

• Behavioral Analytics and SIEM Solutions:

  • Correlating multiple enumeration events across multiple endpoints.

  • Alerting on anomalous patterns of enumeration activities, particularly outside scheduled inventory scans.

Specific IoCs include:

• Unusual execution of commands such as:

  • wmic product get

  • Get-WmiObject -Class Win32_Product

  • dpkg -l, rpm -qa executed by unauthorized users or processes.

• Unusual outbound network connections following software enumeration activities.

• Suspicious scripts or binaries residing in temporary directories or user folders that execute enumeration commands.

Why it is Important to Detect This Technique

Early detection of software enumeration activities is critical due to the potential severe impacts on systems and networks, including:

• Vulnerability Identification:

  • Attackers use software enumeration to identify and exploit known vulnerabilities, potentially leading to unauthorized access, privilege escalation, or lateral movement.

• Targeted Attacks:

  • Attackers leverage detailed software information to craft targeted attacks, increasing the likelihood of successful exploitation.

• Reduced Security Posture:

  • Enumeration of installed security solutions can lead to attacker-driven evasion, disabling, or bypassing of security controls.

• Data Exfiltration and Ransomware:

  • Attackers can identify critical backup and recovery software, disrupting recovery efforts and increasing ransomware effectiveness.

• Operational Disruption:

  • Attackers may target software critical to business operations, causing significant downtime, financial losses, and reputational damage.

Early detection allows organizations to:

• Rapidly identify and mitigate potential threats before attackers exploit vulnerabilities.

• Strengthen security posture by patching vulnerable software and improving security controls.

• Reduce overall risk exposure and minimize potential operational disruptions and data breaches.

Examples

Real-world examples demonstrating the use of Software (T1592.002):

• APT29 (Cozy Bear):

  • Known to use custom scripts and commands (wmic, PowerShell) to enumerate installed software on compromised Windows hosts.

  • Leveraged software enumeration data to identify vulnerable software and escalate privileges within victim networks.

• FIN7:

  • Utilized PowerShell scripts to enumerate installed software, including endpoint protection and antivirus solutions, enabling targeted evasion and persistence.

• Ryuk Ransomware:

  • Enumerated backup software and processes on infected systems to disable recovery capabilities before encrypting data, significantly impacting victim organizations.

• TrickBot Malware:

  • Incorporated modules capable of enumerating installed software and security solutions to facilitate lateral movement and persistence.

• Conti Ransomware Group:

  • Conducted software enumeration to identify installed security tools, antivirus software, and backup solutions, enabling targeted disruption of recovery operations and security controls.

These examples highlight the critical role of software enumeration in attacker methodologies across various threat actors, emphasizing the importance of robust detection and prevention measures.