redcanaryco · clr2of8 · Apr 25, 2023 · Apr 14, 2023 · Apr 25, 2023
diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml
@@ -18,13 +18,18 @@ atomic_tests:
       tasklist.exe | findstr /i cb
       tasklist.exe | findstr /i defender
       tasklist.exe | findstr /i cylance
+      tasklist.exe | findstr /i mc
+      tasklist.exe | findstr /i "virus cb defender cylance mc"
     name: command_prompt
 - name: Security Software Discovery - powershell
   auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0
   description: |
     Methods to identify Security Software on an endpoint
 
     when sucessfully executed, powershell is going to processes related AV products if they are running.
+    Note that, depending on the privilege of current user, get-process | ?{$_.Description -like "*"} may not return the processes related to AV products of the check.
+    For instance, only with Administrator right, you can see the process description of McAffee processes. Hence, it is better to use get-process | ?{$_.ProcessName -like "*"},
+    if you know the name of those processes.
   supported_platforms:
   - windows
   executor:
@@ -33,6 +38,8 @@ atomic_tests:
       get-process | ?{$_.Description -like "*carbonblack*"}
       get-process | ?{$_.Description -like "*defender*"}
       get-process | ?{$_.Description -like "*cylance*"}
+      get-process | ?{$_.Description -like "*mc*"}
+      get-process | ?{$_.ProcessName -like "*mc*"}
     name: powershell
 - name: Security Software Discovery - ps (macOS)
   auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840