Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
66 lines
1.6 KiB
YAML
66 lines
1.6 KiB
YAML
---
|
|
attack_technique: T1063
|
|
display_name: Security Software Discovery
|
|
|
|
atomic_tests:
|
|
- name: Security Software Discovery
|
|
description: |
|
|
Methods to identify Security Software on an endpoint
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
netsh.exe advfirewall firewall show all profiles
|
|
tasklist.exe
|
|
tasklist.exe | findstr /i virus
|
|
tasklist.exe | findstr /i cb
|
|
tasklist.exe | findstr /i defender
|
|
tasklist.exe | findstr /i cylance
|
|
|
|
- name: Security Software Discovery - powershell
|
|
description: |
|
|
Methods to identify Security Software on an endpoint
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
get-process | ?{$_.Description -like "*virus*"}
|
|
get-process | ?{$_.Description -like "*carbonblack*"}
|
|
get-process | ?{$_.Description -like "*defender*"}
|
|
get-process | ?{$_.Description -like "*cylance*"}
|
|
|
|
- name: Security Software Discovery - ps
|
|
description: |
|
|
Methods to identify Security Software on an endpoint
|
|
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
ps -ef | grep Little\ Snitch | grep -v grep
|
|
ps aux | grep CbOsxSensorService
|
|
|
|
- name: Security Software Discovery - Sysmon Service
|
|
description: |
|
|
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
fltmc.exe | findstr.exe 385201 |