ITM is an open framework - Submit your contributions now.

Detections

ConsoleHost_history.txt Created Timestamp Discrepancy

ConsoleHost_history.txt File Missing

Windows File Deleted, Event Logs

Windows System Logging was Cleared

Print Spooler Service

Installed Printers via Registry

Printed Documents via Event Logs

Tamper Seal

Cyber Deception, File Canary

Cyber Deception, Honeypot

Cyber Deception, Honey User

Windows Operating System Installed Date

NTFS Timestamp Discrepancy

Utilize Cold Storage for Logs

Windows Local Account Deleted

Windows System Shutdown, Event Logs

Firefox Browser History

Edge Browser History

Chrome Browser History

Shellbags, USB Removable Storage

USBSTOR Registry Key

USB Registry Key

MountedDevices Registry Key

Windows Event Log, DriverFrameworks-UserMode

Windows Setupapi.dev.log

Windows LNK Files

Windows Prefetch

File Metadata

File EXIF Data

auditd Timestamp Modification Rule

Windows Thumbcache

Closed-Circuit Television

Terminal Service Client Registry Key

RDP Bitmap Cache

Windows Jump Lists

auditd File Access

Windows Recycle Bin

Web Proxy Logs

Microsoft Exchange Message Trace

Email Gateway

Network Intrusion Detection Systems

Sysmon Process Create Event

Linux dpkg Log

Agent Capable of User Activity Monitoring

Agent Capable of Endpoint Detection and Response

Agent Capable of User Behaviour Analytics

Data Loss Prevention Solution

Social Media Monitoring

Impossible Travel

DNS Logging

Audit Logging

Missing .bash_history File

.bash_history Timestamp Discrepency

PowerShell Logging

User Account Deleted, Windows Event Log

Chrome Browser Cookies

Chrome Browser Login Data

Chrome Browser Bookmarks

Chrome Browser Extensions

Notepad.exe TabState

Microsoft 365 Admin Center Sign-in Activity

Microsoft Entra ID Sign-in Logs

AWS CloudTrail, Resource Deletion

GCP Cloud Audit Logs, Resource Deletion

Azure Activity Log, Resource Deletion

Financial Auditing

Windows Event Log, Logon and Logoff

Security Software Anti-Tampering Alerts

Windows Event Log, Local Firewall Changes

Map Network Drive MRU

TypedPaths

Network Registry Key

Shellbags, Network Drives

USB MountPoints2

Bash History

AzureAD PowerShell Log

Clipboard Payloads via ActivitiesCache.db

MFT Entry Number Sequence Irregularities

MFT Unusual Timestamp Patterns

MFT and Shimcache Executable Timestamp Comparison

Microsoft Unified Audit Log

Windows Event Log, Software Uninstallation

DNS Monitoring

Deep Packet Inspection

NetFlow Analysis

Windows Event Log, Audit Removable Storage

Virtual Private Network (VPN) Logs

User Behavior Analytics (UBA)

User and Entity Behavior Analytics (UEBA)

Photographic Identification Comparison

Leaver Watchlist

vssadmin Shadow Copy Deletion

Microsoft Entra ID Privileged Identity Management Resource Audit

Microsoft Teams Admin Center Meeting and Call History

macOS File System Events (FSEvents) Store Database

Windows Event Log, System Time Modification

MIP Label Activity Monitoring

Cyber Deception, Honey SPN

Asset Discovery Audit

Tracking Patterns of Policy Violations

Baseline System Performance Profiling

AWS Unauthorized System or Service Modification

GCP Unauthorized System or Service Modification

Azure Unauthorized System or Service Modification

OCI Unauthorized System or Service Modification

SystemPropertiesRemote.exe Execution

Modification of RDP Registry Keys

RDP Group Membership Changes

DNS and HTTPS Traffic to Web-Based Remote Access Platforms

Access to /mnt/c/ from Within WSL

Installation of New WSL Distributions

Threat Intelligence Feeds for Insider Threat Indicators

Registry Value Audit, Start_TrackProgs

Absence of Expected Entries in RunMRU and UserAssist

Microsoft Purview eDiscovery

Snipping Tool Cached Screenshots

Snipping Tool TempState\Snips

Snipping Tool Cached Recordings

Snipping Tool TempState\Recordings

Snipping Tool Autosave Setting Modification

Python History File

OneDrive SafeDelete.db

Discrepancies Between Physical Access Logs and System Authentication

Modification of etc/hosts File

Microsoft Defender, Printed File

Microsoft Defender, Creation of Forwarding/Redirect Rule

Microsoft Defender, Granted Mailbox Permission

Microsoft Defender, Shared File Externally

Automated Visual and Thermal Baseline Scanning of Server Environments

Asset Register Correlation

Microsoft Exchange, Auto Forwarded Message Report

File Integrity Monitoring

Endpoint Network Access Agent Telemetry Monitoring

Installed Software via Registry

ID: DT148
Created: 23rd October 2025
Updated: 23rd October 2025
Platform: Windows
MITRE ATT&CK®: DS0024
Contributor: The ITM Team

Installed Software via Registry

Three key registry paths can be used to enumerate installed software:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Registry values of interest include:

DisplayName - the name of the application
DisplayVersion - the version of the application
InstallLocation - the location on disk where files related to the application are stored
Publisher - the publisher of the application

Sections

ID	Name	Description
IF009	Installing Unapproved Software	A subject installs software onto an organization-managed system without prior approval or outside sanctioned methods (e.g., centralized package management, internal software portals). This behavior spans a spectrum of risk - from seemingly benign installations (e.g., video games, personal browsers, media players) to unauthorized deployment of potentially harmful tools sourced from unvetted repositories or adversarial infrastructure. The infringement may involve: Manual download and execution of installer packages Use of administrative access to bypass endpoint restrictions Cloning or compiling code from external code repositories such as GitHub While some installations may appear harmless, unapproved software installs can represent a breakdown in configuration control and acceptable use. In high-risk scenarios, such software may introduce remote access mechanisms, data exfiltration capabilities, or other malware. Even benign cases signal behavioral drift, particularly when repeated or ignored, and can contribute to software sprawl, policy erosion, or eventual exploitation.
PR003	Software Installation	A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.
ME002	Unrestricted Software Installation	A subject can install software on a device without restriction.
AF022	Virtualization	The subject leverages virtualization technologies—including hypervisors and virtual machines—to obscure forensic artifacts, isolate malicious activity, or evade host-based monitoring. By conducting operations within a guest operating system, the subject reduces visibility to host-level security tools and complicates the forensic process by separating volatile and persistent data across system boundaries. This strategy allows the subject to: Contain incriminating tools, logs, or staged data entirely within a VM. Avoid leaving artifacts on the host system's registry, file system, or memory. Leverage disposable VMs to execute high-risk actions and erase evidence through snapshot rollback or VM deletion. Evade host-based endpoint detection and response (EDR) tools that lack introspection into virtualized environments. Run guest OSes in stealth configurations (e.g., nested VMs, portable hypervisors) to further frustrate attribution and recovery efforts.
IF009.002	Inappropriate Software	A subject installs software that is not considered appropriate by the organization.
IF009.005	Anti-Sleep Software	The subject installs or enables software, scripts, or hardware devices designed to prevent systems from automatically locking, logging out, or entering sleep mode. This unauthorized action deliberately subverts security controls intended to protect unattended systems from unauthorized access. Characteristics Circumvents policies enforcing session locks, idle timeouts, and mandatory logout periods. May involve third-party applications ("caffeine" tools), anti-idle scripts, or physical devices such as USB mouse jigglers. Typically deployed without organizational approval or awareness. Leaves systems continuously unlocked and accessible, undermining endpoint security and physical safeguards. Renders full disk encryption protections ineffective while the system remains powered and unlocked. Creates opportunities for unauthorized access, data exfiltration, or device compromise by malicious insiders or third parties. Example Scenario A subject installs unauthorized anti-sleep software on a corporate laptop to prevent automatic locking during idle periods. As a result, the device remains accessible even when left unattended in unsecured environments such as cafes, airports, or shared workspaces. This action bypasses mandatory screen-lock policies and renders full disk encryption protections ineffective, exposing sensitive organizational data to theft or compromise by malicious third parties who can physically access the unattended device.
IF009.006	Installing Crypto Mining Software	The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks. Characteristics Deploys CPU-intensive or GPU-intensive processes (e.g., `xmrig`, `ethminer`, `phoenixminer`, `nicehash`) on endpoints, servers, or cloud infrastructure without approval. May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes. Often configured to throttle resource usage during business hours to evade human and telemetry detection. Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL). Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions. Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls. Example Scenario A subject installs a customized `xmrig` Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.
IF009.001	Unwanted Software	A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.
AF022.001	Use of a Virtual Machine	The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations. By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.

MITRE ATT&CK® Mapping (1)

ATT&CK Enterprise Matrix Version 17.1