T1518.002 Backup Software Discovery
Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact.
Commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.1
| Item | Value |
|---|---|
| ID | T1518.002 |
| Sub-techniques | T1518.001, T1518.002 |
| Tactics | TA0007 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 22 May 2025 |
| Last Modified | 22 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0102 | Wizard Spider | Wizard Spider has utilized the PowerShell script Get-DataInfo.ps1 to collect installed backup software information from a compromised machine.2 |
References
-
Symantec Threat Hunter Team. (2023, April 19). Play Ransomware Group Using New Custom Data-Gathering Tools. Retrieved May 22, 2025. ↩
-
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. ↩