CircleCI Atomic Red Team doc generator
98 lines
3.0 KiB
Markdown
98 lines
3.0 KiB
Markdown
# T1063 - Security Software Discovery
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1063)
|
|
<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
|
|
|
|
|
|
### Windows
|
|
|
|
Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.
|
|
|
|
### Mac
|
|
|
|
It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Security Software Discovery](#atomic-test-1---security-software-discovery)
|
|
|
|
- [Atomic Test #2 - Security Software Discovery - powershell](#atomic-test-2---security-software-discovery---powershell)
|
|
|
|
- [Atomic Test #3 - Security Software Discovery - ps](#atomic-test-3---security-software-discovery---ps)
|
|
|
|
- [Atomic Test #4 - Security Software Discovery - Sysmon Service](#atomic-test-4---security-software-discovery---sysmon-service)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Security Software Discovery
|
|
Methods to identify Security Software on an endpoint
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
netsh.exe advfirewall firewall show all profiles
|
|
tasklist.exe
|
|
tasklist.exe | findstr /i virus
|
|
tasklist.exe | findstr /i cb
|
|
tasklist.exe | findstr /i defender
|
|
tasklist.exe | findstr /i cylance
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Security Software Discovery - powershell
|
|
Methods to identify Security Software on an endpoint
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `powershell`!
|
|
```
|
|
get-process | ?{$_.Description -like "*virus*"}
|
|
get-process | ?{$_.Description -like "*carbonblack*"}
|
|
get-process | ?{$_.Description -like "*defender*"}
|
|
get-process | ?{$_.Description -like "*cylance*"}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Security Software Discovery - ps
|
|
Methods to identify Security Software on an endpoint
|
|
|
|
**Supported Platforms:** Linux, macOS
|
|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
ps -ef | grep Little\ Snitch | grep -v grep
|
|
ps aux | grep CbOsxSensorService
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Security Software Discovery - Sysmon Service
|
|
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
fltmc.exe | findstr.exe 385201
|
|
```
|
|
|
|
|
|
|
|
<br/>
|