T1518: T1518
Essential information
- MITRE technique ID
T1518- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Software Discovery
Platforms
windows macos linux IaaS ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Larva-26002 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lampion usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Raspberry Robin usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Hive0145 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HoneyMyte usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Runningcrab usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT 42 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ice Breaker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ping3r and Rodrigo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TamperedChef usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (89)
-
Shai-Hulud 2.0 usesFamily
-
RansomHub usesFamily
-
EDRKillShifter usesFamily
-
Mydoor usesFamily
-
FatalRAT usesFamily
-
Bundlore uses
-
ValleyRAT usesFamily
-
HotCroissant uses
-
Lumma usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PeerTime usesFamily
-
Crimson RAT usesFamily
-
Subzero usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
13 MITREs 4 Malwares 2 Observables 1 APT
-
12 CVEs 14 MITREs 2 Malwares 77 Observables 1 APT
-
17 MITREs 3 Observables
-
24 MITREs 3 Malwares 147 Observables 1 APT
-
16 MITREs 1 Malware 9 Observables
-
25 MITREs 4 Observables 1 APT
-
3 CVEs 16 MITREs 5 Observables
-
19 MITREs 1 Malware 2 Observables 1 APT
-
20 MITREs 1 Malware 56 Observables
-
15 MITREs 3 Malwares 10 Observables
-
14 MITREs 1 Malware 3 Observables
-
16 MITREs 4 Malwares 19 Observables 1 APT
Vulnerabilities (CVE) (85)
Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …
- Attack vector
- Network
- Published
- 11/10/2022
- Modified
- 14/01/2026
Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
- Attack vector
- LOCAL
- Published
- 10/01/2024
- Modified
- 15/03/2026
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
targets
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
targets
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and …
- Published
- 16/05/2022
- Modified
- 20/12/2025
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, …
- Attack vector
- NETWORK
- Published
- 05/11/2025
- Modified
- 15/03/2026
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 05/03/2024
- Modified
- 04/04/2026
Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web …
- Attack vector
- LOCAL
- Published
- 24/08/2021
- Modified
- 10/03/2026
Campaign (1)
-
Juicy Mix uses
Tool (1)
-
ShimRatReporter usesThe MITRE Corporation Confidence 100
[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…