security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1063/T1063.md
T
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:09:43 +00:00

3.0 KiB
Raw Blame History

T1063 - Security Software Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Windows

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.

Mac

It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Atomic Tests


Atomic Test #1 - Security Software Discovery

Methods to identify Security Software on an endpoint

Supported Platforms: Windows

Run it with command_prompt!

netsh.exe advfirewall firewall show all profiles
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance


Atomic Test #2 - Security Software Discovery - powershell

Methods to identify Security Software on an endpoint

Supported Platforms: Windows

Run it with powershell!

get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}


Atomic Test #3 - Security Software Discovery - ps

Methods to identify Security Software on an endpoint

Supported Platforms: Linux, macOS

Run it with sh!

ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService


Atomic Test #4 - Security Software Discovery - Sysmon Service

Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).

Supported Platforms: Windows

Run it with command_prompt! Elevation Required (e.g. root or admin)

fltmc.exe | findstr.exe 385201

Reference in New Issue View Git Blame Copy Permalink