Software Discovery
Identify installed software / running services / kernel versions to pick the right post-exploitation primitive.
§ Where this technique fits
T1518 is catalogued under the Discovery tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 3.3 on average.
Authoritative reference: attack.mitre.org/techniques/T1518/.
§ Dossiers chaining this technique
- step 2 / 5
AlwaysInstallElevated → SYSTEM via MSI
Both HKCU and HKLM AlwaysInstallElevated policies set to 1 — any user-installed MSI runs as SYSTEM. Drop a malicious MSI and install it.
- step 2 / 5
polkit pwnkit (CVE-2021-4034) → instant root
Pre-2022 pkexec has a heap-overflow exploitable with no special permissions. Compile / drop the exploit, run as low-priv user, gain root.
- step 6 / 6
Exposed UART → root shell → firmware extraction
Open the IoT device, locate TX/RX/GND pads, attach a USB-UART, get an unauthenticated root prompt, dump firmware for offline analysis + 0-day hunting.
§ What commonly comes next
- 01Command and Scripting Interpreterseen 2×T1059 · Execution