Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0392: Multi-Platform Software Discovery Behavior Chain

DET0392 is a detection strategy for recognizing behavior chains associated with Software Discovery. The business significance is that software and version...

EnterpriseDET0392Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0392 is a detection strategy for recognizing behavior chains associated with Software Discovery. The business significance is that software and version discovery often helps an intruder decide what to do next: identify security tools, configuration platforms, vulnerable software, or cloud/host capabilities before escalating or tailoring follow-on actions. For leaders, this is less about one command and more about whether the organization can see early reconnaissance across relevant environments before it becomes an incident requiring broader containment.

Executive priority

Prioritize this as an early-warning and readiness control for discovery-stage activity tied to ATT&CK T1518. Security leaders should ask whether SOC and incident response teams can show evidence of software inventory queries across the ATT&CK-related environments of ESXi, IaaS, Linux, and macOS where those environments exist. This also supports vulnerability management and audit conversations: if defenders cannot observe unusual software/version enumeration, they may miss the point where an adversary is selecting targets, bypassing controls, or preparing exploit and lateral movement decisions.

Technical view

The supplied ATT&CK object has no official description, detection logic, tactics, or platforms of its own, but it is related to T1518 Software Discovery, which is a Discovery technique for ESXi, IaaS, Linux, and macOS. SOC and detection engineering teams should therefore validate behavior-chain analytics that identify software and version enumeration rather than relying on a single indicator. Useful validation should compare process or command activity, cloud control-plane inventory queries where applicable, endpoint management records, and software inventory changes against known administrative baselines.

Likely telemetry

  • Endpoint process execution and command-line telemetry on Linux and macOS where collected
  • ESXi administrative command or management activity logs where applicable
  • IaaS control-plane or audit logs showing inventory, package, image, agent, or software-related enumeration where available
  • Software inventory, asset management, and configuration management records
  • EDR or host audit events that show parent-child process context for discovery utilities

Detection direction

  • Validate coverage against T1518 Software Discovery rather than assuming this detection strategy provides complete logic; the official detection field is not supplied.
  • Tune for behavior chains: repeated or broad software/version enumeration, discovery followed by additional reconnaissance, or discovery from unusual users, hosts, sessions, or cloud principals.
  • Establish baselines for legitimate inventory tools, patch management, configuration management, vulnerability scanners, and administrative scripts to reduce false positives.
  • Pay attention to blind spots in ESXi, IaaS, Linux, and macOS telemetry collection, especially where command-line logging, cloud audit logging, or management-plane logging is incomplete.
  • Correlate discovery events with identity context and asset criticality so alerts on sensitive servers, cloud workloads, or management systems receive higher triage priority.

Mitigation priorities

  • Ensure authoritative software inventory and asset ownership exist so defenders can distinguish expected enumeration from suspicious discovery.
  • Enable and retain relevant endpoint, cloud, and management-plane logs for environments aligned to T1518: ESXi, IaaS, Linux, and macOS where present.
  • Restrict administrative and inventory-query privileges to approved roles and service accounts, with review of unnecessary access.
  • Document approved discovery, patching, vulnerability scanning, and configuration management activity for SOC allowlisting and audit evidence.
  • Test incident response playbooks for early discovery alerts, including when to enrich, contain credentials, or investigate follow-on activity.
Analyst notes and limits

This take is based on the DET0392 detection strategy metadata and its relationship to ATT&CK T1518 Software Discovery. The object name suggests a multi-platform behavior-chain focus, but the detection strategy itself does not list platforms or provide official detection content. The related technique provides the strongest context: discovery of installed software and versions in ESXi, IaaS, Linux, and macOS environments.

Official description and official detection fields are not provided for DET0392. No active exploitation, adversary attribution, concrete analytic logic, or guaranteed coverage can be inferred. Local validation is required to determine which telemetry sources exist, which platforms are in scope, and what administrative software discovery is normal in the environment.

Official MITRE ATT&CK definition

Multi-Platform Software Discovery Behavior Chain

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1518 Software Discovery This object detects Software Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1518: Software Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f50b36dd030c6222...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f50b36dd030c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0392
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use