legitimate system administrators or security tools may query the uninstall key via powershell for software inventory or compliance checks. filter as needed to allow authorized management scripts.

t1012
t1059.001
t1518
endpoint
splunk

Techniques

T1012
T1059.001
T1518

Sample rules

Windows Software Discovery Via PowerShell

source: splunk
technicques:
- T1518
- T1059.001
- T1012

Description

Detects the use of PowerShell based registry queries to pull installed software information from the Uninstall key. This will give an attacker version information on installed software which could be used to identify further vulnerabilities. False positives are unlikely as this is an unusual key to query with PowerShell.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText="*Get-ItemProperty *"
ScriptBlockText="*Windows\\CurrentVersion\\Uninstall*"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
     Opcode Name Path ProcessID ScriptBlockId


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_software_discovery_via_powershell_filter`