T1518.001: Security Software Discovery
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are netsh, reg query
with Reg, dir
with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Adversaries may also utilize the Cloud API to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. unix_mitre_attck_discovery: PT-CR-1689: Unix_Security_Software_Discovery: Reconnaissance for Unix host security software mssql_database: PT-CR-407: MSSQL_Audit_Configuration_Discovery: An attempt to get database audit information mssql_database: PT-CR-415: MSSQL_Encryption_Configuration_Discovery: An attempt to get database encryption information mitre_attck_execution: PT-CR-2459: Dump_Bitlocker_Keys_From_Host: The manage-bde utility or Get-BitLockerVolume cmdlet is used to gain information about the volumes encrypted using BitLocker as well as the recovery keys. An attacker can use this information to decrypt the protected data. mitre_attck_discovery: PT-CR-1717: AppLocker_Policies_Discovery: A user received information about current AppLocker policies which may indicate that they are preparing to bypass those policies mitre_attck_discovery: PT-CR-330: Security_State_Discovery: An attempt to retrieve information about the state of protection and monitoring tools is detected mitre_attck_discovery: PT-CR-2458: Dump_Bitlocker_Keys_From_AD: Attempt to access the ms-FVE-RecoveryInformation class and its ms-FVE-VolumeGuid, ms-FVE-KeyPackage, ms-FVE-RecoveryPassword, and ms-FVE-RecoveryGuid attributes containing information about the volumes encrypted using the Windows BitLocker feature as well as the recovery keys. An attacker can use this information to decrypt the protected data.
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. |
---|
ID | DS0018 | Data source and component | Firewall: Firewall Metadata | Description | Monitor for contextual data about a firewall and activity around it such as name, policy, or status |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Security Software Discovery. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. OS API calls associated with LSASS process dumping include EnumProcesses, which can be used to enumerate the set of processes running on a host and filtered to look for security-specific processes. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
---|
ID | DS0018 | Data source and component | Firewall: Firewall Enumeration | Description | Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
---|