{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/software-discovery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["software-discovery","powershell","registry","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PowerShell to enumerate installed software on compromised systems. By querying the \u003ccode\u003eUninstall\u003c/code\u003e registry key, adversaries can quickly gather detailed information about installed applications, including version numbers and patch levels. This information can then be used to identify vulnerable software and prioritize targets for further exploitation. This activity is often observed post-compromise as part of the reconnaissance phase. The detection is based on PowerShell script block logging (Event ID 4104) and focuses on identifying specific script content related to \u003ccode\u003eGet-ItemProperty\u003c/code\u003e and the \u003ccode\u003eUninstall\u003c/code\u003e key. This technique allows attackers to efficiently map out the software landscape of a target environment, increasing the likelihood of successful exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a public-facing vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell with a command designed to query the \u003ccode\u003eUninstall\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eGet-ItemProperty\u003c/code\u003e to retrieve information about installed software from the \u003ccode\u003eHKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\u003c/code\u003e or \u003ccode\u003eHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\u003c/code\u003e registry hives.\u003c/li\u003e\n\u003cli\u003eThe script iterates through the registry entries, extracting details such as software name, version, and installation path.\u003c/li\u003e\n\u003cli\u003eThe collected information is formatted and stored in a variable for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker may then filter, sort, or further process the collected software inventory data to identify specific targets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the software inventory information to a command and control (C2) server for analysis.\u003c/li\u003e\n\u003cli\u003eBased on the software inventory, the attacker identifies vulnerable applications and plans subsequent attacks, such as exploiting known CVEs or deploying targeted malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful software discovery allows attackers to identify and exploit vulnerabilities in installed applications. This can lead to further compromise of the system, including data theft, ransomware deployment, or lateral movement within the network. The impact can range from individual workstation compromise to widespread enterprise-level breaches, depending on the scope of the attacker\u0026rsquo;s activities and the criticality of the targeted software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to provide visibility into PowerShell commands executed on endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Windows Software Discovery Via PowerShell\u0026rdquo; to your SIEM to detect suspicious PowerShell registry queries targeting the \u003ccode\u003eUninstall\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user accounts and systems involved in the activity.\u003c/li\u003e\n\u003cli\u003eReview and filter authorized management scripts identified as false positives, updating the Sigma rule to exclude them.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual network connections originating from systems where software discovery activity has been detected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-windows-software-discovery/","summary":"Attackers use PowerShell to query the Windows registry's Uninstall key to discover installed software and identify potential vulnerabilities for exploitation.","title":"Windows Software Discovery via PowerShell Registry Queries","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-software-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed — Software-Discovery","version":"https://jsonfeed.org/version/1.1"}