Skip to content

Software Discovery

What is "Software Discovery"?

"Software Discovery" refers to a technique used by attackers to identify and gather information about installed software applications on a system. This process is part of the broader tactic known as "Discovery," which is cataloged under the MITRE ATT&CK framework. The primary goal of software discovery is to ascertain the environment's specifics, including software versions, configurations, and installed security solutions, which can help attackers tailor their subsequent actions, such as exploiting known vulnerabilities or evading detection.

How is Software Discovery Performed?

Software discovery can be performed using various methods:

  1. Command-Line Tools: Attackers often use native system tools to query installed software. For example:

  2. On Windows, commands like wmic product get name,version or PowerShell cmdlets like Get-WmiObject -Query 'SELECT * from Win32_Product' are used.

  3. On Linux systems, package managers such as dpkg -l, rpm -qa, or querying specific directories like /etc/ for configuration files.

  4. System APIs: Programs can be written to interact with system APIs that provide information about installed applications. For instance, using Windows API functions like EnumProcesses to list running processes or Linux's /proc filesystem.

  5. Third-Party Tools: Tools like Nessus or Nmap have scripts and plugins that can remotely detect software on target systems through network scanning.

  6. File System Inspection: Directly inspecting directories commonly used for installations (e.g., /usr/bin, /opt, C:\Program Files) can reveal installed applications.

Where is Software Discovery Applied?

Software discovery is applied in various environments including:

  • Corporate networks during penetration testing or red team exercises to understand the security landscape.
  • Compromised machines by attackers aiming to escalate privileges or move laterally within a network.
  • Software audits for compliance and management purposes.

Why Perform Software Discovery?

The rationale behind performing software discovery includes:

  • Exploitation of Known Vulnerabilities: Identifying software versions allows attackers to exploit known vulnerabilities specific to those versions.
  • Privilege Escalation: Certain applications might have misconfigurations or exploitable flaws that allow privilege escalation.
  • Avoidance of Detection: By knowing what security tools are installed (e.g., antivirus programs), attackers can tailor their methods to evade detection.
  • Tailoring Payloads: Different systems might require different payloads for successful exploitation; knowing the exact environment helps in crafting these payloads.
  • Compliance and Management: From a defensive perspective, understanding what software is installed is crucial for patch management and compliance with security policies.

By systematically cataloging this information under the MITRE ATT&CK framework, organizations can better understand attacker methodologies and develop more effective defensive strategies against such reconnaissance activities.