软件披露

攻击者可能会尝试获取系统上安装的与安全无关的软件的列表。攻击者可以在自动发现过程中使用来自 软件披露 (T1518)的信息来塑造后续行为，包括攻击者是否完全感染目标和或尝试采取特定行动。

Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery(T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

标签

编号： T1518

策略： 披露

平台： Linux，macOS，Windows

所需权限： User, Administrator

程序示例

程序示例

名称	描述
Orz (S0229)	Orz (S0229) 可以收集受害者的Internet Explorer版本。

Name	Description
Orz (S0229)	Orz (S0229)can gather the victim's Internet Explorer version.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

当对手了解环境时，系统和网络发现技术通常会在整个操作中出现。数据和事件不应孤立地看待，而应作为行为链的一部分，根据所获得的信息，这些行为和行为可能导致其他活动，例如横向运动。

监视进程和命令行参数以了解可以采取哪些措施来收集系统和网络信息。具有内置功能的远程访问工具可以直接与Windows API交互以收集信息。也可以通过Windows系统管理工具（例如[Windows Management Instrumentation(T1047)和PowerShell获取信息 (T1086)。

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation(T1047) and [PowerShell(T1086).