Home/ATT&CK Technique/Security Software Discovery
ATT&CK Technique

Security Software Discovery

T1518.001 · discovery

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also utilize the Cloud API to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent.

These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.

IaaSLinuxmacOSWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
chinaAPT31
iranAPT33
iranOilRig
iranAPT35

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1584.006 · Web Services ×1.46
initial-access earlier
T1566.004 · Spearphishing Voice ×1.46
execution earlier
T1574.011 · Services Registry Permissions Weakness ×1.46
persistence earlier
T1136.002 · Domain Account ×1.46
privilege-escalation earlier
T1055.012 · Process Hollowing ×1.46T1546.001 · Change Default File Association ×1.46T1546.011 · Application Shimming ×1.46
credential-access earlier
T1003.005 · Cached Domain Credentials ×1.46T1110.004 · Credential Stuffing ×1.46
discovery same
T1426 · System Information Discovery ×1.46T1087.003 · Email Account ×1.46
collection later
T1417 · Input Capture ×1.46
command-and-control later
T1437 · Application Layer Protocol ×1.46T1437.001 · Web Protocols ×1.46
other same
T1218.007 · Msiexec ×1.46

Atomic Tests

11
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsSecurity Software Discovery
Methods to identify Security Software on an endpoint when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software. 
netsh.exe advfirewall  show allprofiles 
netsh.exe advfirewall firewall dump
netsh.exe advfirewall show currentprofile
netsh.exe advfirewall firewall show rule name=all
netsh.exe firewall show state
netsh.exe firewall show config
sc query windefend
powershell.exe /c "Get-Process | Where-Object { $_.ProcessName -eq 'Sysmon' }"
powershell.exe /c "Get-Service | where-object {$_.DisplayName -like '*sysm*'}"
powershell.exe /c "Get-CimInstance Win32_Service -Filter 'Description = ''System Monitor service'''"
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance
tasklist.exe | findstr /i mc
tasklist.exe | findstr /i "virus cb defender cylance mc"
powershellwindowsSecurity Software Discovery - powershell
Methods to identify Security Software on an endpoint when sucessfully executed, powershell is going to processes related AV products if they are running. Note that, depending on the privilege of current user, get-process | ?{$_.Description -like "*"} may not return the processes related to AV products of the check. For instance, only with Administrator right, you can see the process description of McAffee processes. Hence, it is better to use get-process | ?{$_.ProcessName -like "*"}, if you know the name of those processes. 
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
get-process | ?{$_.Description -like "*mc*"}
get-process | ?{$_.ProcessName -like "*mc*"}
get-process | Where-Object { $_.ProcessName -eq "Sysmon" }
shmacosSecurity Software Discovery - ps (macOS)
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. 
ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
shlinuxSecurity Software Discovery - ps (Linux)
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. 
ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
shlinuxSecurity Software Discovery - pgrep (FreeBSD)
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. 
pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'
command_promptelevatedwindowsSecurity Software Discovery - Sysmon Service
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). when sucessfully executed, the test is going to display sysmon driver instance if it is installed. 
fltmc.exe | findstr.exe 385201
command_promptelevatedwindowsSecurity Software Discovery - AV Discovery via WMI
Discovery of installed antivirus products via a WMI query. when sucessfully executed, the test is going to display installed AV software. 
wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
command_promptelevatedwindowsSecurity Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets
Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell. when sucessfully executed, information about installed AV software is displayed.. 
powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct
powershell Get-WmiObject -Namespace root\securitycenter2 -Class antivirusproduct
powershellelevatedwindowsSecurity Software Discovery - Windows Defender Enumeration
Windows Defender Enumeration via different built-in windows native tools. when sucessfully executed, information about windows defender is displayed. 
Get-Service WinDefend #check the service state of Windows Defender
Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc
Get-MpThreat #threats details that have been detected using MS Defender
powershellelevatedwindowsSecurity Software Discovery - Windows Firewall Enumeration
Enumerates windows firewall to retrieves firewall rules from the target computer. when sucessfully executed, details of windows firewall is displayed. 
Get-NetFirewallProfile | Format-Table Name, Enabled
Get-NetFirewallSetting
Get-NetFirewallRule | select DisplayName, Enabled, Description
command_promptelevatedwindowsGet Windows Defender exclusion settings using WMIC
In this test, a WMIC command is used to probe the local Windows system for the configuration of Windows Defender's exclusions. This command targets the MSFT_MpPreference class within the Windows Management Instrumentation (WMI) namespace, allowing the retrieval of critical settings such as disabled real-time monitoring and specified exclusion paths, file extensions, and processes. Attackers might use this approach to understand what is excluded from antivirus scans, enabling further exploitation. 
wmic /Node:localhost /Namespace:\\root\Microsoft\Windows\Defender Path MSFT_MpPreference Get /format:list | findstr /i /C:"DisableRealtimeMonitoring" /C:"ExclusionPath" /C:"ExclusionExtension" /C:"ExclusionProcess"

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 7
Analytics (MITRE CAR) 1
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

1
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2013-04-002Low coverageQuick execution of a series of suspicious commands

Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.

Commands of interest
  • arp.exe.
  • at.exe.
  • attrib.exe.
  • cscript.exe.
  • dsquery.exe.
  • hostname.exe.
  • ipconfig.exe.
  • mimikatz.exe.
  • nbstat.exe.
  • net.exe.
  • netsh.exe.
  • nslookup.exe.
  • ping.exe.
  • quser.exe.
  • qwinsta.exe.
  • reg.exe.
  • runas.exe.
  • sc.exe.
  • schtasks.exe.
  • ssh.exe.
  • systeminfo.exe.
  • taskkill.exe.
  • telnet.exe.
  • tracert.exe.
  • wscript.exe.
  • xcopy.exe ### Output Description The host on which the commands were executed, the time of execution, and what commands were executed.
pseudocode
processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == "tracert.exe"
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include
LogPoint
norm_id=WindowsSysmon event_id=1 image IN ["*\arp.exe", "*\at.exe", "*\attrib.exe", "*\cscript.exe", "*\dsquery.exe", "*\hostname.exe", "*\ipconfig.exe", "*\mimikatz.exe", "*\nbstat.exe", "*\net.exe", "*\netsh.exe", "*\nslookup.exe", "*\ping.exe", "*\quser.exe", "*\qwinsta.exe", "*\reg.exe", "*\runas.exe", "*\sc.exe", "*\schtasks.exe", "*\ssh.exe", "*\systeminfo.exe", "*\taskkill.exe", "*\telnet.exe", "*\tracert.exe", "*\wscript.exe", "*\xcopy.exe"]
| chart count() as cnt by host
| search cnt > 1

Caldera Emulation

3
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
discoverydarwin, windowsDiscover antivirus programs
find /Applications/ -maxdepth 2 -iname *.app | grep -io "[a-z ]*\.app" | grep -Ei -- "symantec|norton|bitdefender|kapersky|eset|avast|avira|malwarebytes|sophos|(trend micro)"
discoverywindowsIdentify Firewalls
$NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter";
$SecurityCenter = $NameSpace | Select-Object -First 1;
Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;
discoverywindowsUAC Status
echo $(get-uac)

Comply & Defend

D3FEND5 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin