Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Detected Windows Software Discovery

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nikita Nazarov, oscd.communityCreated Fri Oct 16Updated Sun Oct 09e13f668e-7f95-443d-98d2-1816a7648a7bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\reg.exe'    # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
        CommandLine|contains|all:
            - 'query'
            - '\software\'
            - '/v'
            - 'svcversion'
    condition: selection
False Positives

Legitimate administration activities

References
1
Resolving title…
github.com
2
Resolving title…
github.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Detected Windows Software Discovery - PowerShell

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
e13f668e-7f95-443d-98d2-1816a7648a7b
Status
test
Level
medium
Type
Detection
Created
Fri Oct 16
Modified
Sun Oct 09
Author
Nikita Nazarov, oscd.community
Path
rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml
Raw Tags
attack.discoveryattack.t1518
View on GitHub