Windows Software Discovery via PowerShell Registry Queries

Attackers are increasingly leveraging PowerShell to enumerate installed software on compromised systems. By querying the Uninstall registry key, adversaries can quickly gather detailed information about installed applications, including version numbers and patch levels. This information can then be used to identify vulnerable software and prioritize targets for further exploitation. This activity is often observed post-compromise as part of the reconnaissance phase. The detection is based on PowerShell script block logging (Event ID 4104) and focuses on identifying specific script content related to Get-ItemProperty and the Uninstall key. This technique allows attackers to efficiently map out the software landscape of a target environment, increasing the likelihood of successful exploitation.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing or exploiting a public-facing vulnerability.
2. The attacker executes PowerShell with a command designed to query the Uninstall registry key.
3. The PowerShell script uses Get-ItemProperty to retrieve information about installed software from the HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall or HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall registry hives.
4. The script iterates through the registry entries, extracting details such as software name, version, and installation path.
5. The collected information is formatted and stored in a variable for later use.
6. The attacker may then filter, sort, or further process the collected software inventory data to identify specific targets.
7. The attacker exfiltrates the software inventory information to a command and control (C2) server for analysis.
8. Based on the software inventory, the attacker identifies vulnerable applications and plans subsequent attacks, such as exploiting known CVEs or deploying targeted malware.

Impact

Successful software discovery allows attackers to identify and exploit vulnerabilities in installed applications. This can lead to further compromise of the system, including data theft, ransomware deployment, or lateral movement within the network. The impact can range from individual workstation compromise to widespread enterprise-level breaches, depending on the scope of the attacker’s activities and the criticality of the targeted software.

Recommendation

• Enable PowerShell Script Block Logging (Event ID 4104) to provide visibility into PowerShell commands executed on endpoints.
• Deploy the Sigma rule “Detect Windows Software Discovery Via PowerShell” to your SIEM to detect suspicious PowerShell registry queries targeting the Uninstall key.
• Investigate any alerts generated by the Sigma rule, focusing on the user accounts and systems involved in the activity.
• Review and filter authorized management scripts identified as false positives, updating the Sigma rule to exclude them.
• Monitor for unusual network connections originating from systems where software discovery activity has been detected.