From d98cedcb2cbd469aaa20f9c76d643bcabea1dccf Mon Sep 17 00:00:00 2001 From: hg8064 Date: Fri, 14 Apr 2023 17:04:13 +0200 Subject: [PATCH] add check for McAffee related processes --- atomics/T1518.001/T1518.001.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml index 3e02f478bc..069c7fe506 100644 --- a/atomics/T1518.001/T1518.001.yaml +++ b/atomics/T1518.001/T1518.001.yaml @@ -18,6 +18,8 @@ atomic_tests: tasklist.exe | findstr /i cb tasklist.exe | findstr /i defender tasklist.exe | findstr /i cylance + tasklist.exe | findstr /i mc + tasklist.exe | findstr /i "virus cb defender cylance mc" name: command_prompt - name: Security Software Discovery - powershell auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0 @@ -25,6 +27,9 @@ atomic_tests: Methods to identify Security Software on an endpoint when sucessfully executed, powershell is going to processes related AV products if they are running. + Note that, depending on the privilege of current user, get-process | ?{$_.Description -like "*"} may not return the processes related to AV products of the check. + For instance, only with Administrator right, you can see the process description of McAffee processes. Hence, it is better to use get-process | ?{$_.ProcessName -like "*"}, + if you know the name of those processes. supported_platforms: - windows executor: @@ -33,6 +38,8 @@ atomic_tests: get-process | ?{$_.Description -like "*carbonblack*"} get-process | ?{$_.Description -like "*defender*"} get-process | ?{$_.Description -like "*cylance*"} + get-process | ?{$_.Description -like "*mc*"} + get-process | ?{$_.ProcessName -like "*mc*"} name: powershell - name: Security Software Discovery - ps (macOS) auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840