Description
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Adversaries may also utilize the Cloud API to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
Platforms
Threat Groups (27)
| ID | Group | Context |
|---|---|---|
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has searched for anti-malware strings and anti-virus processes running on the system.(Citation: Sec... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used the Windows service <code>winmgmts:\\.\root\SecurityCenter2</code> to check installed ant... |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) uses a loader DLL file to collect AV product names from an infected host.(Citation: MalwareBytes Sid... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used malware to identify installed AV and commonly used forensic and malware analysis tools.(Ci... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has identified security software, configurations, defensive tools, and sensors installed on a compromis... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used Registry keys to detect and avoid executing in potential sandboxes.(Citation: FireEye Know Your... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used Windows Management Instrumentation (WMI) to check for anti-virus products.(Citation: Mandiant ... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used tools to search victim systems for security products such as antivirus and firewall software.... |
| G0089 | The White Company | [The White Company](https://attack.mitre.org/groups/G0089) has checked for specific antivirus products on the target’s computer, including Kaspersky, ... |
| G0019 | Naikon | [Naikon](https://attack.mitre.org/groups/G0019) uses commands such as <code>netsh advfirewall firewall</code> to discover local firewall settings.(Cit... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) used a JavaScript backdoor that is capable of collecting a list of the security solutions instal... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used PowerShell scripts to identify security software on the victim machine.(Citation: Sy... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI to identify anti-virus products installed on a victim's machine.(Citation: DFIR Ry... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) scanned the “Program Files” directories for a directory with the string “Total Security” (the insta... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to check running processes against a hard-coded list of security tools often used... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has detected endpoint security solutions using `sc query sense` and `sc query windefend`.(Citation... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to discover third party endpoint detection and response (EDR) tools on compromise... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has checked for the presence of antivirus software with <code>powershell Get-CimInstance -Namespace r... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for security products on infected machines.(Citation: ATT TeamTNT Chimaera September 202... |
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) collects the installed antivirus on the victim machine.(Citation: SCILabs Malteiro 2021) |
Associated Software (111)
| ID | Name | Type | Context |
|---|---|---|---|
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) attempts to identify security software running on the victim machine, such as BitDefender, ... |
| S0611 | Clop | Malware | [Clop](https://attack.mitre.org/software/S0611) can search for processes with antivirus and antimalware product names.(Citation: Mcafee Clop Aug 2019)... |
| S0469 | ABK | Malware | [ABK](https://attack.mitre.org/software/S0469) has the ability to identify the installed anti-virus product on the compromised host.(Citation: Trend M... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has identified AV products on an infected host using the following command: `WMIC /Node:localhost ... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) collects a list of installed antivirus software from the victim’s system.(Citation: Fortinet Meta... |
| S1234 | SplatCloak | Malware | [SplatCloak](https://attack.mitre.org/software/S1234) has identified drivers of AV solutions by searching for related filenames, keywords and signed c... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has checked for the presence of ESET antivirus applications `ekrn.exe` and `egui.exe`.(Citation: ... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can identify the installed antivirus product on a targeted system.(Citation: Crowdstrike Qakbot Octo... |
| S0339 | Micropsia | Malware | [Micropsia](https://attack.mitre.org/software/S0339) searches for anti-virus software and firewall products installed on the victim’s machine using WM... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) contains a command to collect information about anti-virus software on the victim.(Citation: Proofp... |
| S0330 | Zeus Panda | Malware | [Zeus Panda](https://attack.mitre.org/software/S0330) checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s en... |
| S9032 | MuddyViper | Malware | [MuddyViper](https://attack.mitre.org/software/S9032) has the ability to check for a specified list of security tools in the compromised environment.(... |
| S1244 | Medusa Ransomware | Malware | [Medusa Ransomware](https://attack.mitre.org/software/S1244) has the capability to detect security solutions for termination or deletion within the vi... |
| S1025 | Amadey | Malware | [Amadey](https://attack.mitre.org/software/S1025) has checked for a variety of antivirus products.(Citation: Korean FSI TA505 2020)(Citation: BlackBer... |
| S0244 | Comnie | Malware | [Comnie](https://attack.mitre.org/software/S0244) attempts to detect several anti-virus products.(Citation: Palo Alto Comnie) |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020) |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has identified installed antivirus software on the system.(Citation: Kroll RedLine Stealer ... |
| S0046 | CozyCar | Malware | The main [CozyCar](https://attack.mitre.org/software/S0046) dropper checks whether the victim has an anti-virus product installed. If the installed pr... |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has detected antivirus processes using commands such as “tasklist” and “findstr.”(Citation: Q... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has checked where SELinux is enabled on the targeted host.(Citation: Google UNC5221 BRICKSTORM... |
Frequently Asked Questions
What is T1518.001 (Security Software Discovery)?
T1518.001 is a MITRE ATT&CK technique named 'Security Software Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cl...
How can T1518.001 be detected?
Detection of T1518.001 (Security Software Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1518.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1518.001?
Known threat groups using T1518.001 include: Darkhotel, Sidewinder, SideCopy, Windshift, APT38, FIN8, APT42, TA2541.