Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.===Windows===
Example commands that can be used to obtain security software information are netsh,
reg query
with Reg,dir
with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.===Mac===
It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: macOS, Windows
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM
Methods to identify Security Software on an endpoint
Supported Platforms: Windows
netsh.exe advfirewall firewall show all profiles
tasklist.exe
tasklist.exe | findstr virus
tasklist.exe | findstr cb
tasklist.exe | findstr defender
Methods to identify Security Software on an endpoint
Supported Platforms: Windows
powershell.exe get-process | ?{$_.Description -like "*virus*"}
powershell.exe get-process | ?{$_.Description -like "*carbonblack*"}
powershell.exe get-process | ?{$_.Description -like "*defender*"}
Methods to identify Security Software on an endpoint
Supported Platforms: Linux, macOS
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService