T1518: T1518

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/09/2019 19:52 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1518
Confidence: 100/100
Revoked: No
Published: 16/09/2019 19:52
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Software Discovery

Platforms

windows macos linux IaaS ESXi

Description

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

mitre-attack (T1518)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Larva-26002 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lampion uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Raspberry Robin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Windshift uses Bahamut

The MITRE Corporation Confidence 100

[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0145 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HoneyMyte uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Runningcrab uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT 42 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ice Breaker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TamperedChef uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 54

Shai-Hulud 2.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

Family
EDRKillShifter uses

Family
Moudoor uses

The MITRE Corporation Confidence 100

[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FatalRAT uses

Family
Bundlore uses
ValleyRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HotCroissant uses
Lumma uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PeerTime uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crimson RAT uses

Family
Subzero uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 80

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT
Teams Social Engineering Attack: Threat Actors Impersonate IT … related

11 MITREs
Technical Analysis of Matanbuchus 3.0 related

20 MITREs 1 Malware 5 Observables
Arkanix Stealer: Newly discovered short term profit malware related

25 MITREs 2 Observables
Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems related

20 MITREs 1 Malware 6 Observables 1 APT
Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest … related

17 MITREs 1 Malware 4 Observables
Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats related

21 MITREs 2 Malwares 9 Observables 1 APT
It's not personal, it's just business related

6 MITREs 5 Observables
Contagious Interview Actors Now Utilize JSON Storage Services … related

15 MITREs 4 Malwares 84 Observables 1 APT
Remote access, real cargo: cybercriminals targeting trucking and … related

10 MITREs 10 Malwares 39 Observables
From Brazil with Love: New Tactics from Lampion related

4 MITREs 2 Malwares 20 Observables 1 APT
Analysis of Trigona Threat Actor's Latest Attack Cases related

18 MITREs 2 Malwares 5 Observables 1 APT

← Previous

Page / 5

25–36 of 50

Vulnerabilities (CVE) (85)

CVE-2024-23222 KEV targets

8.8 High

Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted …

Attack vector: Network
Complexity: LOW
Published: 23/01/2024
Modified: 04/04/2026

CWE-843

CVE-2018-6065 KEV targets

Google Chromium V8 Engine contains an integer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2025-0411 KEV targets

7.0 High

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction …

Attack vector: Local
Published: 06/02/2025
Modified: 21/12/2025

Analyzed

CVE-2024-23225 KEV targets

7.8 High

Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read …

Attack vector: Local
Complexity: LOW
Published: 05/03/2024
Modified: 04/04/2026

CWE-787

CVE-2023-20891

targets

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2020-27932 KEV targets

Apple iOS, iPadOS, macOS, and watchOS contain a type confusion vulnerability that may allow a malicious application to execute code with kernel …

Published: 03/11/2021
Modified: 03/03/2026

CVE-2023-20862

targets

CVE-2023-38606 KEV targets

5.5 Medium

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.

Attack vector: Local
Published: 26/07/2023
Modified: 21/12/2025

CVE-2018-17463 KEV targets

Google Chromium V8 Engine contains an unspecified vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2025-6543 targets

9.2 Critical

Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway …

Published: 25/06/2025
Modified: 26/06/2025

Awaiting Analysis

← Previous

Page / 8

13–24 of 85

Juicy Mix uses

Tool (1)

ShimRatReporter uses

The MITRE Corporation Confidence 100

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…

Contact About Legal notice Privacy policy Terms of use

T1518: T1518

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (54)

Malware (80)

Reports (50)

Vulnerabilities (CVE) (85)

Campaign (1)

Tool (1)