T1518.002: Backup Software Discovery
Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact.
Commands that can be used to obtain security software information are netsh, `reg query` with Reg, `dir` with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.[1]
Analyst context for executives and security teams
Backup Software Discovery matters because it can be a precursor to actions that make recovery harder, including data destruction, inhibiting system recovery, or encryption for impact. For leaders, the key issue is not the discovery command itself, but whether the organization can see when backup tools, configurations, services, processes, or registry entries are being enumerated before an impact event.
Executive priority
Treat this as a resilience and incident-readiness signal. Security leaders should ask whether SOC and IR teams can identify unusual discovery of backup products across Windows, macOS, and Linux, and whether backup administration, recovery processes, and monitoring are separated enough to withstand follow-on impact attempts. This technique is especially relevant to business continuity evidence, ransomware preparedness, and validation of recovery controls.
Technical view
ATT&CK describes adversaries listing installed backup software or configurations and using results to shape follow-on behavior. The supplied examples include use of netsh, reg query/Reg, dir/cmd, and Tasklist, with discovery potentially focused on products such as Veeam, Acronis, Dropbox, or Paragon. Because ATT&CK provides no official detection text, teams should use the related DET0088 strategy as a validation direction: monitor CLI, registry, process, and file-system inspection patterns that indicate backup software discovery, then correlate with user context, host role, and subsequent recovery-inhibition or impact behavior.
Likely telemetry
- Command-line process creation on Windows, macOS, and Linux
- Parent/child process relationships for shells and administrative utilities
- Windows registry query activity where applicable
- Process listing and service discovery output or events
- File and directory enumeration of backup software paths or configuration locations
Detection direction
- Validate visibility into command-line arguments for utilities named in ATT&CK, including netsh, reg query/Reg, dir/cmd, and Tasklist where applicable.
- Tune detections around backup-product keywords and paths, but account for legitimate backup administration, software inventory, troubleshooting, and vulnerability-management scans.
- Prioritize alerts when backup discovery occurs from unusual users, non-administrative hosts, recently compromised accounts, or systems that do not normally administer backup tooling.
- Correlate discovery with follow-on behaviors referenced by ATT&CK, including Data Destruction, Inhibit System Recovery, and Data Encrypted for Impact.
- Use the related DET0088 context to test whether CLI, registry, and process-inspection based discovery is actually captured in current telemetry.
Mitigation priorities
- Inventory where backup software and agents are installed so monitoring can be targeted to high-value recovery infrastructure.
- Restrict and review administrative access to backup platforms and systems hosting backup agents or configurations.
- Ensure endpoint telemetry captures process execution, command-line arguments, and relevant registry or file-system inspection events on supported platforms.
- Separate backup administration from routine endpoint administration where feasible, and preserve audit logs needed to investigate discovery activity.
- Exercise incident-response playbooks that treat backup discovery as a possible precursor to recovery inhibition or impact, rather than as an isolated low-severity event.
Analyst notes and limits
This object is a discovery sub-technique of Software Discovery and is explicitly tied by ATT&CK to potential follow-on impact behaviors. A relationship also states that Wizard Spider uses this object, but this take does not infer current activity or customer exposure from that relationship. The most actionable defensive value is validating whether discovery of backup products is observable before destructive or encryption activity occurs.
MITRE provides no official detection guidance for this object, so detection recommendations are derived from the official description, named command examples, platforms, relationships, and the related DET0088 detection-strategy reference. Local product names, backup architecture, legitimate admin workflows, and telemetry retention must be confirmed in each environment.
Backup Software Discovery
Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact.
Commands that can be used to obtain security software information are netsh, `reg query` with Reg, `dir` with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1518 | Software Discovery | This object subtechnique of Software Discovery. |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ef4e8d930d39… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Play Ransomware 2023
Symantec Threat Hunter Team. (2023, April 19). Play Ransomware Group Using New Custom Data-Gathering Tools. Retrieved May 22, 2025.
Open source URL -
[2]
mitre-attack T1518.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.