Windows Software Discovery Via PowerShell

name: Windows Software Discovery Via PowerShell
id: 213b4187-1bb9-449e-9406-5bb686a53440
version: 2
creation_date: '2026-05-05'
modification_date: '2026-05-13'
author: Raven Tait, Splunk
status: production
type: Anomaly
description: |-
    Detects the use of PowerShell based registry queries to pull installed software information from the Uninstall key.
    This will give an attacker version information on installed software which could be used to identify further vulnerabilities.
    False positives are unlikely as this is an unusual key to query with PowerShell.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell`
    EventID="4104"
    ScriptBlockText="*Get-ItemProperty *"
    ScriptBlockText="*Windows\\CurrentVersion\\Uninstall*"
    | fillnull
    | stats count min(_time) as firstTime
                  max(_time) as lastTime
      by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
         Opcode Name Path ProcessID ScriptBlockId
    
    | rename Computer as dest
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_software_discovery_via_powershell_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: Legitimate system administrators or security tools may query the Uninstall key via PowerShell for software inventory or compliance checks. Filter as needed to allow authorized management scripts.
drilldown_searches:
    - earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
      name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: Potential software discovery via PowerShell observed on $dest$ via script block $ScriptBlockId$.
analytic_story:
    - Windows Discovery Techniques
asset_type: Endpoint
mitre_attack_id:
    - T1518
    - T1059.001
    - T1012
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1518/snapattack/snapattack.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog
      test_type: unit