T1518.001.md

T1518.001 - Security Software Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)

Atomic Tests

• Atomic Test #1 - Security Software Discovery

• Atomic Test #2 - Security Software Discovery - powershell

• Atomic Test #3 - Security Software Discovery - ps

• Atomic Test #4 - Security Software Discovery - Sysmon Service

• Atomic Test #5 - Security Software Discovery - AV Discovery via WMI

Atomic Test #1 - Security Software Discovery

Methods to identify Security Software on an endpoint

when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

netsh.exe advfirewall  show allprofiles
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance

Atomic Test #2 - Security Software Discovery - powershell

Methods to identify Security Software on an endpoint

when sucessfully executed, powershell is going to processes related AV products if they are running.

Supported Platforms: Windows

Attack Commands: Run with powershell!

get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}

Atomic Test #3 - Security Software Discovery - ps

Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV software it is running( Little snitch or carbon black ).

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
ps aux | grep falcond

Atomic Test #4 - Security Software Discovery - Sysmon Service

Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).

when sucessfully executed, the test is going to display sysmon driver instance if it is installed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

fltmc.exe | findstr.exe 385201

Atomic Test #5 - Security Software Discovery - AV Discovery via WMI

Discovery of installed antivirus products via a WMI query.

when sucessfully executed, the test is going to display installed AV software.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List