DET0888: Detection of Software

DET0888 is a MITRE detection strategy for identifying adversary reconnaissance focused on a victim’s software environment. The business significance is tha...

EnterpriseDET0888Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0888 is a MITRE detection strategy for identifying adversary reconnaissance focused on a victim’s software environment. The business significance is that software inventory details—products, versions, and defensive tooling—can help an adversary choose targets, plan follow-on access, or tailor activity around controls. Because the official detection strategy has no description, platforms, tactics, or detection logic supplied, organizations should treat this as a coverage validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this as a governance and readiness question: can the organization tell when outsiders or unauthorized parties are trying to learn what software and security tools are in use? This matters for vulnerability prioritization, exposure management, incident triage, and audit evidence around asset inventory and monitoring. Leaders should ask whether software inventory data is exposed unnecessarily, whether reconnaissance against that data is monitored, and whether SOC and IR teams can connect early reconnaissance signals to later suspicious activity.

Technical view

The relationship context ties DET0888 to ATT&CK technique T1592.002, Software, under reconnaissance on the PRE platform. SOC and detection engineering teams should validate whether they collect and correlate evidence of attempts to enumerate installed software, versions, host components, or defensive products. Because MITRE does not provide official detection text for this object, detection design must be derived from local telemetry sources and from the related technique context, with careful separation between legitimate inventory/security assessment activity and suspicious external or unauthorized collection.

Likely telemetry

Asset inventory and software inventory records, including product and version metadata where available
Logs from externally exposed services or portals that may reveal software banners, versions, or components
Security tool, EDR, vulnerability management, or CMDB access logs showing queries or exports of software inventory data
Network and application logs associated with scanning or probing of systems for software-identifying responses
Authentication and authorization logs for users or services accessing software inventory repositories

Detection direction

Validate whether monitoring exists for unusual access to software inventory, CMDB, vulnerability management, EDR, or security tooling data.
Tune detections to account for legitimate IT operations, vulnerability scanning, asset discovery, audits, and managed security activity to reduce false positives.
Look for reconnaissance context rather than a single event: unusual source, timing, scope, frequency, or access to software/version details can be more meaningful than normal inventory reads.
Assess exposure of software-identifying information from internet-facing systems, since the related technique includes gathering host software information for targeting.
Because the official detection field is not provided, document local analytic assumptions and test them against authorized scanning and inventory workflows.

Mitigation priorities

Reduce unnecessary disclosure of software names, versions, banners, and defensive tooling details where operationally feasible.
Apply least-privilege access to software inventory, vulnerability management, EDR, SIEM, and CMDB data stores.
Maintain accurate asset and software inventory so defenders can distinguish expected discovery from unusual collection behavior.
Review logging and retention for systems that store or expose software inventory information.
Integrate reconnaissance findings into vulnerability management and incident response workflows so discovered exposure can drive prioritization.

Analyst notes and limits

This Glexia take is based on the supplied DET0888 fields and its relationship to T1592.002 Software. The object itself has no official description, detection text, platform, or tactic values, so the practical guidance is intentionally framed around validation of telemetry and controls rather than a specific MITRE-provided analytic.

No official detection logic, platforms, tactics, or implementation details were supplied for DET0888. The related technique description is truncated in the provided object context. Local environment evidence is required to determine applicable data sources, normal administrative behavior, false-positive patterns, and actual monitoring coverage.

Official MITRE ATT&CK definition

Detection of Software

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1592.002	Software Sub-technique	This object detects Software.

Relationship explorer

All related ATT&CK context

detects · Technique T1592.002: Software Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: aad18213ee6bf075...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`aad18213ee6b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0888
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use