Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Resource Development
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain Policy Modification
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Domain Policy Modification
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
Credential Access
Brute Force
Credentials from Password Stores
Forge Web Credentials
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Configuration Repository
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Software Discovery
  5. Security Software Discovery

Software Discovery: Security Software Discovery

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.[1]

ID: T1518.001
Sub-technique of:  T1518
Tactic: Discovery
Platforms: AWS, Azure, Azure AD, GCP, Linux, Office 365, SaaS, Windows, macOS
Permissions Required: User
Data Sources: AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
CAPEC ID: CAPEC-581
Version: 1.1
Created: 21 February 2020
Last Modified: 16 September 2020

Procedure Examples

Name Description
ABK

ABK has the ability to identify the installed anti-virus product on the compromised host.[2]
Astaroth

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [3]
Avenger

Avenger has the ability to identify installed anti-virus products on a compromised host.[2]
BadPatch

BadPatch uses WMI to enumerate installed security products in the victim’s environment.[4]
build_downer

build_downer has the ability to detect if the infected host is running an anti-virus process.[2]
Carberp

Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[5]
CHOPSTICK

CHOPSTICK checks for antivirus and forensics software.[6]
Cobalt Group

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[7]
Comnie

Comnie attempts to detect several anti-virus products.[8]
CookieMiner

CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.[9]
CozyCar

The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[10]
Crimson

Crimson contains a command to collect information about anti-virus software on the victim.[11]
Darkhotel

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[12]
down_new

down_new has the ability to detect anti-virus products and processes on a compromised host.[2]
DustySky

DustySky checks for the existence of anti-virus.[13]
Empire

Empire can enumerate antivirus software on the target.[14]
Epic

Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[15]
EvilBunny

EvilBunny has been observed querying installed antivirus software.[16]
Felismus

Felismus checks for processes associated with anti-virus vendors.[17]
FELIXROOT

FELIXROOT checks for installed security software like antivirus and firewall.[18]
FIN8

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[19]
FinFisher

FinFisher probes the system to check for antimalware processes.[20][21]
Flame

Flame identifies security software such as antivirus through the Security module.[22][23]
FlawedAmmyy

FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[24]
Frankenstein

Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.[25]
Gold Dragon

Gold Dragon checks for anti-malware products and processes.[26]
InvisiMole

InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.[27]
JPIN

JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[28]
jRAT

jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[29][30]
Kasidet

Kasidet has the ability to identify any anti-virus installed on the infected system.[31]
Metamorfo

Metamorfo collects a list of installed antivirus software from the victim’s system.[32]

Micropsia

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[33][34]
More_eggs

More_eggs can obtain information on installed anti-malware programs.[35]
Mosquito

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[36]
MuddyWater

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[37]
Naikon

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[38]
netsh

netsh can be used to discover system firewall settings.[39][40]
Netwalker

Netwalker can detect and terminate active security software-related processes on infected systems.[41]

Patchwork

Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool).[42]
PipeMon

PipeMon can check for the presence of ESET and Kaspersky security software.[43]
POWERSTATS

POWERSTATS has detected security tools.[44]
POWRUNER

POWRUNER may collect information on the victim's anti-virus software.[45]
Prikormka

A module in Prikormka collects information from the victim about installed anti-virus software.[46]
PUNCHBUGGY

PUNCHBUGGY can gather AVs registered in the system.[47]

Remsec

Remsec has a plugin to detect active drivers of some security products.[48]
Rocke

Rocke used scripts which detected and uninstalled antivirus software.[49][50]
RogueRobin

RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[51][52]
ROKRAT

ROKRAT checks for debugging tools.[53][54]
RTM

RTM can obtain information about security software on the victim.[55]
Skidmap

Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.[56]

StoneDrill

StoneDrill can check for antivirus and antimalware programs.[57]

StreamEx

StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.[58]
StrongPity

StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.[59]
Sunburst

Sunburst checked for a variety of antivirus/endpoint detection agents prior to execution.[60][61]
T9000

T9000 performs checks for various antivirus and security products during installation.[62]
TajMahal

TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.[63]
Tasklist

Tasklist can be used to enumerate security software currently running on a system by process name of known products.[64]
The White Company

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[65]
Tropic Trooper

Tropic Trooper can search for anti-virus software running on the system.[66]
Turla

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.[67]
Valak

Valak can determine if a compromised host has security products installed.[68]
VERMIN

VERMIN uses WMI to check for anti-virus software installed on the system.[69]
Wingbird

Wingbird checks for the presence of Bitdefender security software.[70]
Wizard Spider

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[71]
YAHOYAH

YAHOYAH checks for antimalware solution processes on the system.[72]
Zeus Panda

Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.[73][74]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

In cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.

References

  1. A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
  2. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  3. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  4. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  5. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  6. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  7. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  8. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  9. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  10. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  11. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  12. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  13. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  14. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  15. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  16. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  17. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  18. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  19. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  20. FinFisher. (n.d.). Retrieved December 20, 2017.
  21. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  22. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  23. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  24. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  25. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  26. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  27. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  28. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  29. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  30. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  31. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  32. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  33. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  34. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  35. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  36. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  37. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  1. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  2. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  3. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  4. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  5. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  6. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  7. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  8. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  9. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  10. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  11. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  12. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  13. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  14. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  15. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  16. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  17. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  18. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  19. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  20. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  21. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  22. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  23. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  24. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  25. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  26. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  27. Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
  28. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  29. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  30. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  31. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  32. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  33. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  34. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  35. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  36. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  37. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.