DET0088: Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)
This detection strategy matters because backup discovery is often a preparatory behavior before an adversary tries to disrupt recovery options. For leaders...
Analyst context for executives and security teams
This detection strategy matters because backup discovery is often a preparatory behavior before an adversary tries to disrupt recovery options. For leaders, the key issue is not just whether backup software exists, but whether the organization can see attempts to identify it before destructive or ransomware-like impact actions occur.
Executive priority
Prioritize this as an operational resilience and incident-readiness control. Security leaders should ask whether SOC teams can observe backup software discovery across systems related to Windows, macOS, and Linux environments, and whether incident responders have clear escalation paths when backup tooling or configurations are being inspected. This also supports audit and compliance evidence around recovery protection and monitoring.
Technical view
DET0088 is a detection strategy for T1518.002, Backup Software Discovery. The supplied object has no official detection text, so validation should focus on the strategy name and related technique context: command-line activity, registry inspection where applicable, and process inspection used to identify backup software or configurations. SOC teams should correlate this discovery behavior with other discovery activity and any later behaviors associated with recovery inhibition, destruction, or encryption for impact, without assuming those outcomes occurred.
Likely telemetry
- Command-line execution records and process creation events
- Process inspection or process enumeration activity
- Windows Registry access or query telemetry where applicable
- Endpoint detection and response telemetry from Windows, macOS, and Linux systems covered by the related technique
- Logs from systems hosting or administering backup software, where available
Detection direction
- Validate whether endpoint telemetry captures command-line, process, and registry evidence with sufficient detail for investigation.
- Tune detections to distinguish legitimate backup administration, inventory, and monitoring from unusual discovery by unexpected users, hosts, or parent processes.
- Correlate backup software discovery with broader discovery activity and with later behaviors related to Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact when present.
- Check blind spots on servers, backup administration endpoints, and non-Windows systems because the related technique spans Windows, macOS, and Linux, while registry-focused evidence is platform-specific.
- Use allowlists carefully; backup administrators and management tools may generate similar telemetry, but overly broad exclusions can hide meaningful reconnaissance.
Mitigation priorities
- Restrict access to backup software configuration, management consoles, and recovery infrastructure using least privilege.
- Ensure backup administration actions are logged and reviewed, especially from non-standard users or hosts.
- Segment and harden systems that manage backups so discovery from ordinary endpoints is less useful.
- Include backup discovery signals in incident response triage playbooks for ransomware and destructive-event readiness.
- Regularly test whether monitoring and escalation processes provide usable evidence before an incident requires recovery decisions.
Analyst notes and limits
The strongest decision value is early warning: discovery of backup tooling can inform adversary planning before impact-stage activity. Treat this detection as part of a resilience-focused detection chain rather than a standalone proof of compromise.
The supplied DET0088 object has no official description, no official detection text, and no specified platforms or tactics. Platform and tactic context come from the relationship to T1518.002. Local logging, endpoint coverage, and known administrative workflows are required to determine practical detection quality.
Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1518.002 | Backup Software Discovery Sub-technique | This object detects Backup Software Discovery. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 64c02455e57b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0088Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.