T1518.001
Software Discovery: Security Software Discovery
Description from ATT&CK
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
Atomic Tests
Atomic Test #1 - Security Software Discovery
Methods to identify Security Software on an endpoint
when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software.
Supported Platforms: windows
auto_generated_guid: f92a380f-ced9-491f-b338-95a991418ce2
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
3
4
5
6
7
8
9
netsh.exe advfirewall show allprofiles
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance
tasklist.exe | findstr /i mc
tasklist.exe | findstr /i "virus cb defender cylance mc"
Atomic Test #2 - Security Software Discovery - powershell
Methods to identify Security Software on an endpoint
when sucessfully executed, powershell is going to processes related AV products if they are running. Note that, depending on the privilege of current user, get-process | ?{$.Description -like "*"} may not return the processes related to AV products of the check. For instance, only with Administrator right, you can see the process description of McAffee processes. Hence, it is better to use get-process | ?{$.ProcessName -like "*"}, if you know the name of those processes.
Supported Platforms: windows
auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
get-process | ?{$_.Description -like "*mc*"}
get-process | ?{$_.ProcessName -like "*mc*"}
Atomic Test #3 - Security Software Discovery - ps (macOS)
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
Supported Platforms: macos
auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
Inputs:
None
Attack Commands: Run with sh!
1
2
ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
Atomic Test #4 - Security Software Discovery - ps (Linux)
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
Supported Platforms: linux
auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2
Inputs:
None
Attack Commands: Run with sh!
1
2
ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
Atomic Test #5 - Security Software Discovery - Sysmon Service
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
Supported Platforms: windows
auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
fltmc.exe | findstr.exe 385201
Atomic Test #6 - Security Software Discovery - AV Discovery via WMI
Discovery of installed antivirus products via a WMI query.
when sucessfully executed, the test is going to display installed AV software.
Supported Platforms: windows
auto_generated_guid: 1553252f-14ea-4d3b-8a08-d7a4211aa945
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List