Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Such software may be deployed widely across the environment for configuration management or security reasons, such as Software Deployment Tools, and may allow adversaries broad access to infect devices or move laterally.
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1518 | Software Discovery |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Software Discovery attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain while minimizing system performance impact.
Software Discovery attacks involve adversaries attempting to map or discover software applications running on a target system. Attackers often use these techniques to gather information about the environment and identify potential vulnerabilities, misconfigurations, or software weaknesses that can be exploited to further compromise the system. Intel TDT plays a crucial role in identifying these tactics by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors such as unauthorized scanning or probing of installed software.
In addition, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster, more efficient detection of malicious activity without degrading system performance. CAMS can identify suspicious behaviors, such as attempts to discover or fingerprint software applications and services running on the system, providing proactive defense against these reconnaissance techniques.
References
|