Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108),reg query
with [Reg](https://attack.mitre.org/software/S0075),dir
with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
Atomic Test #5 - Security Software Discovery - pgrep (FreeBSD)
Atomic Test #6 - Security Software Discovery - Sysmon Service
Atomic Test #7 - Security Software Discovery - AV Discovery via WMI
Atomic Test #9 - Security Software Discovery - Windows Defender Enumeration
Atomic Test #10 - Security Software Discovery - Windows Firewall Enumeration
Methods to identify Security Software on an endpoint
when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software.
Supported Platforms: Windows
auto_generated_guid: f92a380f-ced9-491f-b338-95a991418ce2
1
command_prompt
!netsh.exe advfirewall show allprofiles
netsh.exe advfirewall firewall dump
netsh.exe advfirewall show currentprofile
netsh.exe advfirewall firewall show rule name=all
netsh.exe firewall show state
netsh.exe firewall show config
sc query windefend
powershell.exe /c "Get-Process | Where-Object { $_.ProcessName -eq 'Sysmon' }"
powershell.exe /c "Get-Service | where-object {$_.DisplayName -like '*sysm*'}"
powershell.exe /c "Get-CimInstance Win32_Service -Filter 'Description = ''System Monitor service'''"
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance
tasklist.exe | findstr /i mc
tasklist.exe | findstr /i "virus cb defender cylance mc"
Methods to identify Security Software on an endpoint
when sucessfully executed, powershell is going to processes related AV products if they are running. Note that, depending on the privilege of current user, get-process | ?{$.Description -like “*”} may not return the processes related to AV products of the check. For instance, only with Administrator right, you can see the process description of McAffee processes. Hence, it is better to use get-process | ?{$.ProcessName -like “*”}, if you know the name of those processes.
Supported Platforms: Windows
auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0
1
powershell
!1
2
3
4
5
6
7
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
get-process | ?{$_.Description -like "*mc*"}
get-process | ?{$_.ProcessName -like "*mc*"}
get-process | Where-Object { $_.ProcessName -eq "Sysmon" }
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
Supported Platforms: macOS
auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
1
sh
!1
ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
Supported Platforms: Linux
auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2
1
sh
!1
ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
Supported Platforms: Linux
auto_generated_guid: fa96c21c-5fd6-4428-aa28-51a2fbecdbdc
1
sh
!1
pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
Supported Platforms: Windows
auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
1
command_prompt
! Elevation Required (e.g. root or admin)fltmc.exe | findstr.exe 385201
Discovery of installed antivirus products via a WMI query.
when sucessfully executed, the test is going to display installed AV software.
Supported Platforms: Windows
auto_generated_guid: 1553252f-14ea-4d3b-8a08-d7a4211aa945
1
command_prompt
! Elevation Required (e.g. root or admin)wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell.
when sucessfully executed, information about installed AV software is displayed..
Supported Platforms: Windows
auto_generated_guid: 015cd268-996e-4c32-8347-94c80c6286ee
1
command_prompt
! Elevation Required (e.g. root or admin)powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct
powershell Get-WmiObject -Namespace root\securitycenter2 -Class antivirusproduct
Windows Defender Enumeration via different built-in windows native tools. when sucessfully executed, information about windows defender is displayed.
Supported Platforms: Windows
auto_generated_guid: d3415a0e-66ef-429b-acf4-a768876954f6
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
Get-Service WinDefend #check the service state of Windows Defender
Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc
Get-MpThreat #threats details that have been detected using MS Defender
Enumerates windows firewall to retrieves firewall rules from the target computer.
when sucessfully executed, details of windows firewall is displayed.
Supported Platforms: Windows
auto_generated_guid: 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
Get-NetFirewallProfile | Format-Table Name, Enabled
Get-NetFirewallSetting
Get-NetFirewallRule | select DisplayName, Enabled, Description