Description
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
Threat-Mapped Scoring
ATT&CK Kill Chain Metadata
- Tactics: discovery
- Platforms: Windows, IaaS, Linux, macOS
-
Detection Guidance:
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.
Malware
- ABK
- Action RAT
- Amadey
- Astaroth
- AuTo Stealer
- Avenger
- BLUELIGHT
- BadPatch
- Bazar
- BlackByte Ransomware
- Bumblebee
- CHIMNEYSWEEP
- CHOPSTICK
- Carberp
- Clop
- Comnie
- CookieMiner
- CozyCar
- Crimson
- DUSTTRAP
- DarkGate
- DarkTortilla
- DarkWatchman
- DustySky
- EVILNUM
- Epic
- EvilBunny
- Exbyte
- FELIXROOT
- Felismus
- Ferocious
- FinFisher
- Flame
- FlawedAmmyy
- FunnyDream
- Gelsemium
- Gold Dragon
- Grandoreiro
- IcedID
- InvisiMole
- JPIN
- Kasidet
- Latrodectus
- LiteDuke
- LitePower
- Lizar
- Lumma Stealer
- LunarWeb
- Mafalda
- MarkiRAT
- Metamorfo
- Meteor
- Micropsia
- Mispadu
- MoleNet
- More_eggs
- Mosquito
- Netwalker
- NotPetya
- POWERSTATS
- POWRUNER
- PUNCHBUGGY
- PipeMon
- Prikormka
- QakBot
- RTM
- Raspberry Robin
- Remsec
- RogueRobin
- SUNBURST
- Skidmap
- SpicyOmelette
- StoneDrill
- StreamEx
- StrongPity
- Stuxnet
- T9000
- TAMECAT
- TajMahal
- ThiefQuest
- VERMIN
- Valak
- Waterbear
- WhisperGate
- Wingbird
- Woody RAT
- XCSSET
- YAHOYAH
- Zeus Panda
- ZxxZ
- build_downer
- down_new
- jRAT
- xCaon