- Tactics
- Discovery
- Platforms
- Windows, macOS, Linux
- Reference
- attack.mitre.org/techniques/T1518.002
Description
Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact.
Commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.(Citation: Symantec Play Ransomware 2023)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Discovery tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1007 — System Service Discovery
- T1010 — Application Window Discovery
- T1012 — Query Registry
- T1016 — System Network Configuration Discovery
- T1018 — Remote System Discovery
- T1033 — System Owner/User Discovery
- T1040 — Network Sniffing
- T1046 — Network Service Discovery
- T1049 — System Network Connections Discovery
- T1057 — Process Discovery
- T1069 — Permission Groups Discovery
- T1082 — System Information Discovery