T1592.002, Reconnaissance

Gather Victim Host Information:
Software

Adversaries enumerate installed software, version numbers, and frameworks to identify exploitable vulnerabilities on victim systems. Watch the simulation below to see how an attacker builds a complete software fingerprint.

// SOFTWARE DISCOVERY IN PROGRESS

Software Discovery Scanning...

Patched

Update Available

Vulnerable

WIN

Windows Server 2022

Build 20348.2113

Apache HTTPD

2.4.57

SSL

OpenSSL

3.0.8

CVE-2024-0727

SQL

MySQL Server

8.0.35

Python

3.11.6

CVE-2024-6232

Node.js

18.17.1 LTS

Redis

7.2.0

CVE-2024-31449

// ASSEMBLED SOFTWARE FINGERPRINT

⇄

TARGET SOFTWARE FINGERPRINT

OS: Windows Server 2022

WEB: Apache 2.4.57

TLS: OpenSSL 3.0.8 ⚠

DB: MySQL 8.0.35

RUNTIME: Node.js 18.17 + Python 3.11

CACHE: Redis 7.2.0 ⚠

// ATTACK SURFACE RISK LEVEL

RISK: 88 / 100, 3 known CVEs match target software stack

// ATTACK KILL CHAIN

🔍

Discover Software

Enumerate versions via headers, banners, DNS

➜

🔎

Match CVEs

Cross-reference versions against NVD/CISA KEV

➜

💥

Exploit

Deploy weaponized exploit against vulnerable software

Context & Impact

Why Software Discovery Matters

21K+

CVEs disclosed in H1 2025 alone, creating an ever-expanding attack surface for adversaries to exploit.

1,484

Vulnerabilities added to the CISA KEV catalog in 2025, with 20.5% actively exploited by ransomware groups.

45%

Of organizations predicted to experience attacks on their software supply chains by 2025 (Gartner/ScienceDirect).

Attackers now use agentic AI to automate reconnaissance and harvest victim credentials, including software version enumeration (Tenable).

Software information gathering is one of the most valuable reconnaissance activities an adversary can perform. Knowing exactly what software and versions are running on a target system lets attackers search for known exploits in public vulnerability databases, dramatically lowering the barrier to entry for even sophisticated attacks. The attacker does not need to discover a zero-day, they simply need to know which version of OpenSSL, Apache, or MySQL is running and then look up the corresponding CVE entry.

In 2025, the volume of known vulnerabilities continues to explode. Over 21,000 CVEs were disclosed in just the first half of the year (source: deepstrike.io). The CISA Known Exploited Vulnerabilities (KEV) catalog grew by 1,484 vulnerabilities, with a staggering 20.5% exploited by ransomware operators (source: gopher.security). Gartner predicted that by 2025, 45% of organizations would experience attacks on their software supply chains (source: Gartner/ScienceDirect), making software inventory management a critical defensive capability.

The rise of agentic AI in cyberattacks means adversaries can now automate the entire reconnaissance pipeline, scanning, version fingerprinting, CVE matching, and even exploit selection, at machine speed. According to Tenable's 2025 report, attackers are leveraging AI to harvest victim credentials including software version enumeration, making this sub-technique more dangerous than ever.

References & Sources

Definitions

Key Terms & Concepts

Simple Definition

Software (T1592.002) is a sub-technique under MITRE ATT&CK's Gather Victim Host Information (T1592) where adversaries systematically collect information about the software installed on a victim's systems. This includes operating systems, web servers, databases, application frameworks, programming language runtimes, third-party libraries, and their specific version numbers. The gathered software intelligence is then cross-referenced against public vulnerability databases such as the CVE/NVD (National Vulnerability Database) to identify known, documented exploits that the attacker can leverage, transforming passive reconnaissance into a precise weapon selection process.

Everyday Analogy: Imagine a burglar who checks a restaurant's menu before deciding when to rob the place. They see the restaurant uses an outdated point-of-sale system from 2019, one known to have a weakness in its payment processing module. They don't need to be master hackers; they just need to know which software version is running, look up the known vulnerability online, and use a ready-made exploit tool downloaded from the internet. The entire attack hinges on that single piece of information: the software version number. This is exactly what T1592.002 represents at enterprise scale, attackers mapping out every piece of software on your network to find the weakest link.

Case Study

Real-World Scenario: The DataVault Breach

Kevin Zhao

Senior Systems Engineer at DataVault Analytics, a cloud-based analytics company serving Fortune 500 clients

✗

BEFORE: The Breach

DataVault's web servers disclosed detailed software versions in HTTP response headers without any obfuscation. Every HTTP response included identifiable banners: Server: Apache/2.4.49 and X-Powered-By: PHP/7.4.3. Attackers performing passive reconnaissance discovered this information through routine active scanning, then cross-referenced the Apache version and discovered it had a critical path traversal vulnerability (CVE-2021-41773) with a CVSS score of 7.5. Exploiting this path traversal flaw allowed the attackers to read arbitrary files on the server, including source code that contained hardcoded database credentials. The breach exposed sensitive analytics data of 340 enterprise clients and resulted in 28 lawsuits totaling $14.2 million in damages, along with severe reputational harm that caused several major clients to terminate their contracts.

✓

AFTER: The Fix

Kevin led a comprehensive remediation effort. He stripped all version information from HTTP headers by configuring Apache's ServerTokens directive to "Prod" and removing the X-Powered-By header entirely. He implemented server signature obfuscation using mod_security to rewrite response headers with generic values. He deployed a Web Application Firewall (WAF) with virtual patching capabilities that could block exploit attempts targeting known CVEs even before patches were applied. He set up automated software inventory monitoring with version tracking using tools that continuously scanned the environment for new software installations and version changes. Additionally, he configured Apache to return generic error messages without version details, eliminating the information leakage that enabled the original reconnaissance. Kevin also established a monthly security review process where the team would audit all externally-facing services for information disclosure.

Defense Playbook

7-Step Defense Guide

Build a Comprehensive Software Inventory

Deploy automated asset discovery tools to maintain a real-time inventory of all software across endpoints, servers, and containers.
Record exact version numbers, installation dates, patch levels, and vendor information for every piece of software.
Include third-party libraries, dependencies (npm, pip, Maven), and runtime environments in the inventory.
Use Configuration Management Databases (CMDBs) to correlate software assets with business owners and criticality ratings.

Remove Version Information from Public Responses

Configure web servers to suppress version strings: Apache ServerTokens Prod, nginx server_tokens off, IIS RemoveServerHeader.
Strip X-Powered-By, X-AspNet-Version, and similar framework disclosure headers from all HTTP responses.
Implement WAF rules to rewrite or block response headers that leak software identity before they reach clients.
Configure custom error pages that do not reveal stack traces, framework names, or version details.

Implement a Vulnerability Management Program

Deploy vulnerability scanners (Qualys, Tenable, Rapid7) on a continuous or weekly basis to identify known software flaws.
Integrate with NVD and CISA KEV feeds to automatically flag software versions with known exploits in the wild.
Establish severity-based SLAs: Critical vulnerabilities patched within 48 hours, High within 7 days, Medium within 30 days.
Create a risk-based prioritization framework that considers exploit availability, business impact, and network exposure.

Deploy Virtual Patching via WAF/IPS

Configure WAF rules that block known exploit patterns (e.g., Apache path traversal signatures, SQL injection for unpatched MySQL).
Use IPS/IDS systems with regularly updated signature databases to detect and block exploitation attempts targeting known software CVEs.
Layer virtual patches as a temporary mitigation while coordinating safe deployment of actual software patches.
Test virtual patch rules in staging environments before production deployment to avoid blocking legitimate traffic.

Monitor CISA KEV Catalog and Threat Feeds

Subscribe to automated CISA KEV alerts and integrate them into your vulnerability management and ticketing workflows.
Monitor threat intelligence feeds (AlienVault OTX, IBM X-Force, Recorded Future) for new exploits targeting your software stack.
Set up automated correlation between your software inventory and newly published CVEs to generate instant alerts.
Track ransomware group activity that specifically targets software vulnerabilities in your technology stack.

Establish a Patch Management SLA

Define and enforce organization-wide patch management SLAs with clear escalation paths for non-compliant systems.
Implement automated patch deployment for critical security updates using tools like WSUS, SCCM, or Chef/Puppet/Ansible.
Create a pre-approved emergency patching process for zero-day vulnerabilities that bypasses normal change management delays.
Track patch compliance metrics and report them to executive leadership as part of the security posture dashboard.

Conduct Regular Software Audits and Pentests

Schedule quarterly internal audits to verify software inventory accuracy and identify unauthorized or shadow IT software installations.
Engage external penetration testers at least annually to simulate adversarial software discovery techniques (T1592.002).
Use Software Composition Analysis (SCA) tools to identify vulnerable open-source dependencies in custom applications.
Include banner grabbing, HTTP header analysis, and service fingerprinting tests in every penetration testing engagement.

Lessons Learned

Common Mistakes & Best Practices

✗ Common Mistakes

Leaving default software banners enabled. Most web servers, databases, and frameworks ship with verbose version disclosure. Failing to disable these banners provides attackers with exact version intelligence on a silver platter, effectively doing their reconnaissance work for them.

No centralized software inventory. Without a complete, up-to-date inventory of installed software and versions, security teams cannot correlate assets against vulnerability databases, leaving critical gaps where unmanaged software runs unnoticed.

Ignoring third-party and open-source dependencies. Many organizations track major applications but neglect npm packages, Python libraries, and other dependencies. These components often have the highest volume of known vulnerabilities.

Slow patching cycles for internet-facing services. Allowing weeks or months to pass before patching externally-exposed web servers, databases, or APIs gives adversaries a wide exploitation window against known CVEs.

Relying solely on network perimeter defenses. Assuming that firewalls and VPNs prevent software enumeration is dangerous. Attackers use phishing, supply chain compromise, and insider access to bypass perimeters and fingerprint internal software directly.

✓ Best Practices

Implement defense-in-depth for version obfuscation. Strip headers at the application layer, configure server-level banner suppression, and use WAF rules to catch any residual information leakage across the entire stack.

Automate continuous software discovery and monitoring. Deploy agent-based and agentless scanning tools that continuously discover new software installations, track version changes, and alert on unauthorized software in real time.

Integrate vulnerability feeds directly into workflows. Connect CISA KEV, NVD, and vendor security advisories to your ticketing system so that new CVEs matching your software inventory automatically create prioritized remediation tasks.

Use virtual patching for rapid risk reduction. Deploy WAF and IPS virtual patches as an immediate protective layer when critical vulnerabilities are discovered, providing time to safely test and deploy actual software patches.

Test your own exposure with regular adversarial simulation. Conduct internal red team exercises that specifically practice T1592.002 techniques to identify blind spots in your software information exposure before real attackers find them.

Adversary Perspectives

Red Team vs Blue Team View

Red Team, Attacker

How Attackers Exploit Software Discovery

Red teams leverage T1592.002 as the foundation of their exploitation strategy. By systematically identifying every piece of software and its exact version, they can prioritize targets based on exploit availability. The process begins with passive techniques, examining job postings, error pages, and leaked documentation for software clues, then escalates to active banner grabbing, service fingerprinting, and framework enumeration. The goal is to build a complete software map that reveals the path of least resistance into the target environment.

Once software versions are mapped, red teams cross-reference against exploit databases, public PoC code on GitHub, and dark web exploit marketplaces. The combination of known CVEs + public exploit code + exposed version numbers often eliminates the need for any custom exploit development whatsoever.

whatweb - identify web technologies
nmap -sV - service version detection
wappalyzer / builtwith - tech fingerprinting
nikto - web server vulnerability scanner
searchsploit - local exploit DB search
cve-search / NVD API - CVE lookup

Blue Team, Defender

How Defenders Detect & Prevent Software Discovery

Blue teams must assume that adversaries will attempt software enumeration and implement layered controls to minimize information exposure. The primary defense is reducing the attack surface by eliminating every possible source of version information leakage. This includes HTTP headers, error messages, TLS certificate metadata, and even DNS records that may hint at specific software platforms.

Detection focuses on monitoring for the reconnaissance behaviors themselves, excessive HEAD requests, unusual User-Agent strings from scanning tools, connection patterns from known scanner IP ranges, and access to files or endpoints that reveal software configuration. Proactive defense means staying ahead of the scanner.

WAF - block version disclosure headers
SIEM - detect banner grabbing patterns
HIDS - monitor software inventory changes
SCA tools - track dependency vulnerabilities
SecurityHeaders.com - verify header hygiene
OSINT - monitor your own external exposure

Detection & Hunting

Threat Hunter's Eye

Threat hunters investigating potential T1592.002 activity should focus on detecting the behavioral patterns associated with software enumeration rather than relying solely on signature-based detection. Since software discovery techniques use legitimate protocols and commands, hunters need to look for anomalous patterns of reconnaissance behavior that indicate an adversary is systematically mapping the software landscape of the target environment.

Key hunting hypotheses include: Are there endpoints making an unusual volume of HTTP HEAD or OPTIONS requests designed to elicit version-bearing response headers? Are there connections from uncommon source IPs performing service version probes against multiple internal hosts? Is there evidence of command-line enumeration tools being executed from user workstations rather than administrative jump hosts? Are there sudden spikes in access to files like /etc/os-release, C:\Windows\System32\config, or package manager queries?

Hunters should also examine TLS certificate metadata for connections to known vulnerability intelligence platforms and exploit repositories, which may indicate an adversary is actively researching exploits for the software versions they have already discovered on the target.

Indicators of Compromise & Detection Queries

SIGMA: detection of excessive HTTP HEAD/OPTIONS requests from single source IP within 5-minute window
Windows Event 4688: command-line execution of "wmic product get name,version" from non-admin context
Sysmon Event 7: Image-loaded events for common enumeration tools (whatweb, wappalyzer, nikto)
Network: DNS queries to Shodan, Censys, or VirusTotal API endpoints from internal hosts
Apache/Nginx access logs: sequential requests to /, /robots.txt, /server-status with varying User-Agents
Linux: auth.log showing unauthorized execution of "dpkg -l", "rpm -qa", or "apt list --installed"
WAF: rate of requests targeting version-specific paths (e.g., /wp-content/ for WordPress, /.env for frameworks)

T1592, Gather Victim Host Information

Explore Related Techniques

T1592.002 Software is one of four sub-techniques under Gather Victim Host Information. Understanding the full spectrum of host information gathering helps you build a comprehensive defense strategy.

T1592 Parent, Gather Victim Host Information T1592.001, Hardware T1592.003, Firmware T1592.004, Client Configurations

Software

MITIGATIONS

Pre-compromise M1056

DETECTION STRATEGY

Detection of Software DET0888

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.

100% of your support goes to the platform. No corporate sponsors, just the community.

ROOT::DONATE

Cyber Pulse Academy
February 13, 2026
No Comments