Backup Software Discovery - T1518.002 (4a6cfdae-1417-40c7-a84e-f59d21c58266)
Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact.
Commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.(Citation: Symantec Play Ransomware 2023)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Backup Software Discovery - T1518.002 (4a6cfdae-1417-40c7-a84e-f59d21c58266) | Attack Pattern | Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) | Attack Pattern | 1 |