Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.Example commands that can be used to obtain security software information are netsh,
reg query
with Reg,dir
with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Methods to identify Security Software on an endpoint
Supported Platforms: Windows
netsh.exe advfirewall firewall show all profiles
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance
Methods to identify Security Software on an endpoint
Supported Platforms: Windows
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
Methods to identify Security Software on an endpoint
Supported Platforms: Linux, macOS
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
Supported Platforms: Windows
fltmc.exe | findstr.exe 385201