Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Example commands that can be used to obtain security software information are netsh,
reg querywith Reg,dirwith cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
-
Atomic Test #4 - Security Software Discovery - Sysmon Service
-
Atomic Test #5 - Security Software Discovery - AV Discovery via WMI
Methods to identify Security Software on an endpoint
Supported Platforms: Windows
netsh.exe advfirewall firewall show all profiles
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance
Methods to identify Security Software on an endpoint
Supported Platforms: Windows
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
Methods to identify Security Software on an endpoint
Supported Platforms: Linux, macOS
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
Supported Platforms: Windows
fltmc.exe | findstr.exe 385201
Discovery of installed antivirus products via a WMI query.
Supported Platforms: Windows
wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List