Security Software Discovery (T1518.001)
Security Software Discovery [T1518.001]
Last updated
Security Software Discovery [T1518.001]
Last updated
Name: Security Software Discovery
ID: T1518.001
Tactics:
Technique:
Security Software Discovery (T1518.001) is a sub-technique within the MITRE ATT&CK framework, categorized under the "Discovery" tactic. Attackers leverage this sub-technique to identify and enumerate security software, such as antivirus, firewall, intrusion detection systems, and endpoint detection and response (EDR) solutions installed on targeted systems and networks. Identifying security software allows adversaries to tailor their subsequent actions to evade detection, disable protective measures, or select specific exploits that bypass identified defenses.
Attackers typically perform Security Software Discovery through various methods and mechanisms:
Process and Service Enumeration:
Attackers often enumerate running processes and installed services on compromised hosts to identify security software. Common utilities and commands include:
Windows: tasklist, sc query, wmic service get name,displayname, Get-Service (PowerShell)
Linux: ps aux, systemctl list-units, service --status-all
File System Inspection:
Attackers search specific directories and file paths commonly associated with security software installations, configuration files, or logs. Examples include:
Windows: C:\Program Files\, C:\Program Files (x86)\, C:\ProgramData\
Linux: /etc/, /opt/, /var/log/
Registry Queries (Windows):
Attackers may query the Windows registry to identify installed antivirus or security products:
Registry paths such as:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKLM\SOFTWARE\WOW6432Node\
HKLM\SYSTEM\CurrentControlSet\Services\
Command-line Tools and Scripts:
Attackers utilize built-in or custom scripts and tools to automate discovery:
PowerShell scripts that query installed software via WMI or CIM instances.
Linux shell scripts utilizing standard commands (grep, find, locate) to detect known security software indicators.
Network Scanning and Fingerprinting:
Attackers perform scanning and fingerprinting activities to detect security software based on open ports, banners, or network signatures:
Tools such as Nmap, masscan, or custom scanners.
Detection of specific security product management interfaces or ports.
API Calls and System Queries:
Attackers leverage API calls to query installed software or security-related settings:
Windows APIs such as WMI (Win32_Product) or CIM.
Linux system calls to enumerate installed packages (dpkg, rpm, yum, dnf).
Attackers commonly use Security Software Discovery at various stages of the attack lifecycle:
Initial Access and Reconnaissance:
Early in the attack cycle, attackers enumerate security software to determine if the environment is well-defended, guiding decisions on persistence and lateral movement strategies.
Privilege Escalation and Persistence:
Attackers identify security solutions to understand potential obstacles in escalating privileges or maintaining persistence, allowing them to choose suitable methods to evade or disable defenses.
Defense Evasion and Execution:
Prior to executing payloads or malicious scripts, attackers check for installed security software to select payloads with higher chances of evasion or to disable defensive tools proactively.
Lateral Movement and Collection:
Before moving laterally within networks, attackers conduct discovery to identify security controls that might detect or block lateral movement techniques, influencing their choice of tactics and procedures.
Exfiltration and Impact:
Attackers may identify security software to ensure that exfiltration activities or destructive operations are unlikely to trigger immediate alerts or automated responses.
Detection of Security Software Discovery activities typically involves monitoring and alerting on suspicious behaviors, including:
Process Monitoring and Command-line Auditing:
Detect unusual execution of commands or scripts commonly used for software enumeration:
Windows: Monitoring via Sysmon, Windows Event Logs (4688), EDR tools.
Linux: Auditd logs, bash history analysis, EDR platforms.
Registry Monitoring (Windows):
Alerting on suspicious registry queries or enumeration activities targeting software installation keys or security product entries.
File System Access Monitoring:
Observing unusual access patterns to directories containing security software installations or configuration files.
Network Traffic Analysis:
Identifying scanning or fingerprinting activities targeting management interfaces or ports associated with security software.
API Call Monitoring:
Detecting suspicious API calls or queries to system components designed to enumerate installed software or security solutions.
Indicators of Compromise (IoCs):
Suspicious scripts or binaries executing enumeration commands (wmic, tasklist, ps aux).
Unusual registry queries targeting installed software keys.
Unexpected access to security software configuration files or directories.
Network scans targeting known security software ports or management interfaces.
Early detection of Security Software Discovery is critical due to the following potential impacts:
Defense Evasion:
Attackers who successfully identify security software can tailor their attacks to evade detection, significantly increasing the likelihood of successful compromise.
Disabling or Tampering with Security Controls:
Knowledge of installed security software allows attackers to disable, bypass, or manipulate these controls, leaving the organization vulnerable to further attacks.
Targeted Exploitation:
Attackers may use information gathered from security software enumeration to choose targeted exploits or payloads specifically designed to bypass installed defenses.
Reduced Incident Response Effectiveness:
Attackers aware of security software capabilities and configurations can better anticipate and evade defensive measures, complicating incident response and remediation efforts.
Increased Risk of Data Loss:
Successful evasion or disabling of security controls can lead to unauthorized data exfiltration, espionage, or destructive activities, causing significant operational and reputational damage.
Real-world examples of attackers employing Security Software Discovery techniques include:
APT29 (Cozy Bear):
Known to enumerate security software by executing commands such as tasklist and querying installed antivirus solutions via WMI, enabling them to tailor payloads and evade detection.
FIN7:
Utilized PowerShell scripts and custom tools to identify installed security products, including antivirus and EDR solutions, allowing them to disable or bypass these controls during attacks targeting financial institutions.
TrickBot Malware:
Actively enumerates installed security software by querying registry entries and scanning running processes, using this information to disable or avoid detection mechanisms before deploying ransomware payloads such as Ryuk.
Wizard Spider (Ryuk ransomware):
Prior to ransomware deployment, attackers enumerate antivirus and EDR solutions to disable or terminate their processes, reducing the likelihood of detection or prevention.
Conti Ransomware Group:
Conducted extensive reconnaissance to identify installed security tools, allowing them to disable or circumvent defenses effectively, facilitating successful ransomware deployment and data exfiltration operations.
In these scenarios, attackers commonly used built-in utilities (e.g., PowerShell, wmic, tasklist) or custom scripts and tools to enumerate installed security software. The impacts included successful defense evasion, persistence, lateral movement, data exfiltration, and extensive operational disruption.