Software Discovery: Security Software Discovery, Sub-technique T1518.001 - Enterprise (original) (raw)
ABK has the ability to identify the installed anti-virus product on the compromised host.[2]
Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [3]
Avenger has the ability to identify installed anti-virus products on a compromised host.[2]
BadPatch uses WMI to enumerate installed security products in the victim’s environment.[4]
build_downer has the ability to detect if the infected host is running an anti-virus process.[2]
Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[5]
CHOPSTICK checks for antivirus and forensics software.[6]
Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[7]
Comnie attempts to detect several anti-virus products.[8]
CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.[9]
The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[10]
Crimson contains a command to collect information about anti-virus software on the victim.[11]
Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[12]
down_new has the ability to detect anti-virus products and processes on a compromised host.[2]
DustySky checks for the existence of anti-virus.[13]
Empire can enumerate antivirus software on the target.[14]
Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[15]
EvilBunny has been observed querying installed antivirus software.[16]
Felismus checks for processes associated with anti-virus vendors.[17]
FELIXROOT checks for installed security software like antivirus and firewall.[18]
FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[19]
FinFisher probes the system to check for antimalware processes.[20][21]
Flame identifies security software such as antivirus through the Security module.[22][23]
FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[24]
Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.[25]
Gold Dragon checks for anti-malware products and processes.[26]
InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.[27]
JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[28]
jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[29][30]
Kasidet has the ability to identify any anti-virus installed on the infected system.[31]
Metamorfo collects a list of installed antivirus software from the victim’s system.[32]
Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[33][34]
More_eggs can obtain information on installed anti-malware programs.[35]
Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[36]
MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[37]
Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[38]
netsh can be used to discover system firewall settings.[39][40]
Netwalker can detect and terminate active security software-related processes on infected systems.[41]
Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool).[42]
PipeMon can check for the presence of ESET and Kaspersky security software.[43]
POWERSTATS has detected security tools.[44]
POWRUNER may collect information on the victim's anti-virus software.[45]
A module in Prikormka collects information from the victim about installed anti-virus software.[46]
PUNCHBUGGY can gather AVs registered in the system.[47]
Remsec has a plugin to detect active drivers of some security products.[48]
Rocke used scripts which detected and uninstalled antivirus software.[49][50]
RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[51][52]
ROKRAT checks for debugging tools.[53][54]
RTM can obtain information about security software on the victim.[55]
Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.[56]
StoneDrill can check for antivirus and antimalware programs.[57]
StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.[58]
StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.[59]
Sunburst checked for a variety of antivirus/endpoint detection agents prior to execution.[60][61]
T9000 performs checks for various antivirus and security products during installation.[62]
TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.[63]
Tasklist can be used to enumerate security software currently running on a system by process name of known products.[64]
The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[65]
Tropic Trooper can search for anti-virus software running on the system.[66]
Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.[67]
Valak can determine if a compromised host has security products installed.[68]
VERMIN uses WMI to check for anti-virus software installed on the system.[69]
Wingbird checks for the presence of Bitdefender security software.[70]
Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[71]
YAHOYAH checks for antimalware solution processes on the system.[72]
Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.[73][74]