T1518.001

Security Software Discovery

Adversaries enumerate installed security software, defensive tools, and monitoring agents prior to executing payloads or deploying evasion techniques. By identifying what endpoint protection, EDR, firewalls, and cloud monitoring agents are present, adversaries can determine whether to proceed with infection, disable specific defenses, or select evasion techniques tailored to the detected product. Common methods include WMI queries to the SecurityCenter2 namespace (enumerating AntiVirusProduct, FirewallProduct, AntiSpywareProduct classes), PowerShell Get-WmiObject/Get-CimInstance targeting security product WMI classes, tasklist and WMIC process enumeration filtered to known AV/EDR binary names, and registry inspection of installed software keys for security vendor paths. Threat actors including Darkhotel, Clop, QakBot, Raspberry Robin, TONESHELL (Mustang Panda), and Sidewinder are documented performing this technique in the wild.

Microsoft Sentinel / Defender

kusto

let AvProcessNames = dynamic([
  "ekrn.exe", "egui.exe", "mssense.exe", "msmpeng.exe", "mbam.exe", "mbamservice.exe",
  "avp.exe", "avguard.exe", "avgnt.exe", "avscan.exe", "avastui.exe", "avastsvc.exe",
  "bdservicehost.exe", "bdredline.exe", "bdagent.exe",
  "sophosav.exe", "sophossps.exe", "savservice.exe", "hmpalert.exe",
  "csfalconservice.exe", "csagent.exe", "falconhost.exe",
  "cbdaemon.exe", "carbonblackk.exe",
  "sentinelagent.exe", "sentinelservicehost.exe", "sentinelstaticengine.exe",
  "cybereason", "amsi", "cylancesvc.exe", "taniumclient.exe",
  "fireeye", "xagt.exe", "trellix", "hxtsr.exe"
]);
// WMI SecurityCenter2 namespace queries — highest fidelity indicator
let WmiSecCenter = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "SecurityCenter"
    or (ProcessCommandLine has_any ("AntiVirusProduct", "AntiSpywareProduct", "FirewallProduct")
        and ProcessCommandLine has_any ("displayName", "Get", "path"))
| extend DetectionSource = "WMI_SecurityCenter2", RiskScore = 80;
// PowerShell WMI/CIM queries targeting security product classes
let PsWmiSec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "SecurityCenter"
    or (ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi", "gcim", "Invoke-WmiMethod")
        and ProcessCommandLine has_any ("AntiVirusProduct", "AntiSpywareProduct", "FirewallProduct"))
| extend DetectionSource = "PS_WMI_SecurityCenter2", RiskScore = 75;
// Tasklist or WMIC process enumeration filtered to known AV/EDR binary names
let ProcessEnumAv = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("tasklist.exe", "wmic.exe")
| where ProcessCommandLine has_any (AvProcessNames)
| extend DetectionSource = "Process_Enum_AV", RiskScore = 60;
// Registry queries targeting known security vendor install paths
let RegAvQuery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has "query"
| where ProcessCommandLine has_any (
    "SYSTEM\\CurrentControlSet\\Services\\WinDefend",
    "SOFTWARE\\Microsoft\\Windows Defender",
    "SOFTWARE\\ESET", "SOFTWARE\\Kaspersky Lab",
    "SOFTWARE\\McAfee", "SOFTWARE\\Sophos",
    "SOFTWARE\\CrowdStrike", "SOFTWARE\\Carbon Black",
    "SOFTWARE\\SentinelOne", "SOFTWARE\\Cylance",
    "SOFTWARE\\Symantec", "SOFTWARE\\Bitdefender",
    "SOFTWARE\\Malwarebytes", "SOFTWARE\\Avast", "SOFTWARE\\AVG")
| extend DetectionSource = "Registry_AV_Query", RiskScore = 65;
union WmiSecCenter, PsWmiSec, ProcessEnumAv, RegAvQuery
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionSource, RiskScore
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT asset management and inventory platforms (Lansweeper, ServiceNow Discovery, SCCM hardware inventory agent) that query WMI SecurityCenter2 during scheduled asset collection cycles
Vulnerability scanners (Tenable Nessus, Qualys Cloud Agent, Rapid7 InsightVM) enumerating endpoint security posture during credentialed network scans
Help desk and ITSM automation scripts that check AV product status or version before creating incident tickets or routing to the appropriate support team
Endpoint compliance tools (Ivanti, Tanium Comply, BigFix) performing scheduled security policy audits that verify required security software is installed and running
Internal security operations scripts run by SOC analysts or engineers during incident response or baseline auditing activities

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\wmic.exe" AND (CommandLine="*SecurityCenter*" OR (CommandLine="*AntiVirusProduct*" AND CommandLine="*displayName*") OR CommandLine="*AntiSpywareProduct*" OR CommandLine="*FirewallProduct*"))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*SecurityCenter*" OR CommandLine="*AntiVirusProduct*" OR CommandLine="*AntiSpywareProduct*" OR CommandLine="*FirewallProduct*"))
  OR (Image="*\\tasklist.exe" AND (CommandLine="*ekrn*" OR CommandLine="*egui*" OR CommandLine="*csagent*" OR CommandLine="*msmpeng*" OR CommandLine="*mbam*" OR CommandLine="*avgnt*" OR CommandLine="*avp.exe*" OR CommandLine="*bdservicehost*" OR CommandLine="*sophossps*" OR CommandLine="*sentinelagent*" OR CommandLine="*cbdaemon*" OR CommandLine="*cylancesvc*" OR CommandLine="*xagt*" OR CommandLine="*falconhost*"))
  OR (Image="*\\reg.exe" AND CommandLine="*query*" AND (CommandLine="*WinDefend*" OR CommandLine="*Windows Defender*" OR CommandLine="*ESET*" OR CommandLine="*Kaspersky*" OR CommandLine="*CrowdStrike*" OR CommandLine="*SentinelOne*" OR CommandLine="*Carbon Black*" OR CommandLine="*Symantec*" OR CommandLine="*McAfee*" OR CommandLine="*Sophos*" OR CommandLine="*Bitdefender*" OR CommandLine="*Malwarebytes*"))
)
| eval DetectionSource=case(
    match(Image, "(?i)wmic\.exe") AND match(CommandLine, "(?i)SecurityCenter"), "WMI_SecurityCenter2",
    match(Image, "(?i)wmic\.exe") AND match(CommandLine, "(?i)(AntiVirusProduct|AntiSpywareProduct|FirewallProduct)"), "WMI_SecurityCenter2",
    match(Image, "(?i)(powershell|pwsh)\.exe"), "PS_WMI_SecurityCenter2",
    match(Image, "(?i)tasklist\.exe"), "Process_Enum_AV",
    match(Image, "(?i)reg\.exe"), "Registry_AV_Query",
    true(), "Other"
  )
| eval RiskScore=case(
    DetectionSource="WMI_SecurityCenter2", 80,
    DetectionSource="PS_WMI_SecurityCenter2", 75,
    DetectionSource="Registry_AV_Query", 65,
    DetectionSource="Process_Enum_AV", 60,
    true(), 50
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionSource, RiskScore
| sort - RiskScore - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT asset management and inventory platforms (Lansweeper, ServiceNow Discovery, SCCM hardware inventory agent) that query WMI SecurityCenter2 during scheduled asset collection cycles
Vulnerability scanners (Tenable Nessus, Qualys Cloud Agent, Rapid7 InsightVM) enumerating endpoint security posture during credentialed network scans
Help desk and ITSM automation scripts that check AV product status or version before creating incident tickets or routing to the appropriate support team
Endpoint compliance tools (Ivanti, Tanium Comply, BigFix) performing scheduled security policy audits that verify required security software is installed and running
Internal security operations scripts run by SOC analysts or engineers during incident response or baseline auditing activities

Elastic Security (EQL)

eql

any where event.category == "process" and event.type == "start" and (
  (
    process.name : "wmic.exe" and (
      process.command_line : "*SecurityCenter*" or
      (process.command_line : "*AntiVirusProduct*" and process.command_line : ("*displayName*", "*Get*", "*path*")) or
      process.command_line : "*AntiSpywareProduct*" or
      process.command_line : "*FirewallProduct*"
    )
  ) or
  (
    process.name : ("powershell.exe", "pwsh.exe") and (
      process.command_line : "*SecurityCenter*" or
      process.command_line : ("*AntiVirusProduct*", "*AntiSpywareProduct*", "*FirewallProduct*") or
      (process.command_line : ("*Get-WmiObject*", "*Get-CimInstance*", "*gwmi*", "*gcim*", "*Invoke-WmiMethod*") and
       process.command_line : ("*AntiVirusProduct*", "*AntiSpywareProduct*", "*FirewallProduct*", "*SecurityCenter*"))
    )
  ) or
  (
    process.name : ("tasklist.exe", "wmic.exe") and
    process.command_line : ("*ekrn*", "*egui*", "*mssense*", "*msmpeng*", "*mbam*", "*mbamservice*", "*avp.exe*", "*avguard*", "*avgnt*", "*avscan*", "*avastui*", "*avastsvc*", "*bdservicehost*", "*bdredline*", "*bdagent*", "*sophosav*", "*sophossps*", "*savservice*", "*hmpalert*", "*csfalconservice*", "*csagent*", "*falconhost*", "*cbdaemon*", "*carbonblackk*", "*sentinelagent*", "*sentinelservicehost*", "*cylancesvc*", "*taniumclient*", "*xagt*", "*hxtsr*")
  ) or
  (
    process.name : "reg.exe" and
    process.command_line : "*query*" and
    process.command_line : ("*WinDefend*", "*Windows Defender*", "*\\ESET*", "*Kaspersky Lab*", "*McAfee*", "*Sophos*", "*CrowdStrike*", "*Carbon Black*", "*SentinelOne*", "*Cylance*", "*Symantec*", "*Bitdefender*", "*Malwarebytes*", "*Avast*", "*AVG*")
  )
)

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.*

False Positives

Legitimate IT asset inventory or patch management tools (e.g., Tanium, SCCM, Qualys) that enumerate installed security products as part of compliance scanning
Security operations scripts or SIEM onboarding scripts that query WMI SecurityCenter2 to verify AV status during endpoint enrollment
Helpdesk or SOC analysts manually running wmic/PowerShell commands to troubleshoot security product health on a specific endpoint

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "SourcePayload",
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  "CommandLine",
  "ParentCommandLine",
  CASE
    WHEN ("CommandLine" ILIKE '%wmic%' AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%')) THEN 'WMI_SecurityCenter2'
    WHEN ("CommandLine" ILIKE '%powershell%' AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%')) THEN 'PS_WMI_SecurityCenter2'
    WHEN ("CommandLine" ILIKE '%tasklist%' AND ("CommandLine" ILIKE '%csagent%' OR "CommandLine" ILIKE '%msmpeng%' OR "CommandLine" ILIKE '%mbam%' OR "CommandLine" ILIKE '%sentinelagent%' OR "CommandLine" ILIKE '%cbdaemon%' OR "CommandLine" ILIKE '%cylancesvc%' OR "CommandLine" ILIKE '%falconhost%' OR "CommandLine" ILIKE '%xagt%' OR "CommandLine" ILIKE '%avgnt%' OR "CommandLine" ILIKE '%avp.exe%' OR "CommandLine" ILIKE '%bdservicehost%' OR "CommandLine" ILIKE '%sophossps%' OR "CommandLine" ILIKE '%ekrn%' OR "CommandLine" ILIKE '%egui%')) THEN 'Process_Enum_AV'
    WHEN ("CommandLine" ILIKE '%reg%query%' AND ("CommandLine" ILIKE '%WinDefend%' OR "CommandLine" ILIKE '%Windows Defender%' OR "CommandLine" ILIKE '%ESET%' OR "CommandLine" ILIKE '%Kaspersky%' OR "CommandLine" ILIKE '%CrowdStrike%' OR "CommandLine" ILIKE '%SentinelOne%' OR "CommandLine" ILIKE '%Carbon Black%' OR "CommandLine" ILIKE '%Symantec%' OR "CommandLine" ILIKE '%McAfee%' OR "CommandLine" ILIKE '%Sophos%' OR "CommandLine" ILIKE '%Bitdefender%' OR "CommandLine" ILIKE '%Malwarebytes%')) THEN 'Registry_AV_Query'
    ELSE 'Other'
  END AS DetectionSource,
  CASE
    WHEN ("CommandLine" ILIKE '%wmic%' AND "CommandLine" ILIKE '%SecurityCenter%') THEN 80
    WHEN ("CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%SecurityCenter%') THEN 75
    WHEN ("CommandLine" ILIKE '%reg%query%' AND ("CommandLine" ILIKE '%WinDefend%' OR "CommandLine" ILIKE '%CrowdStrike%' OR "CommandLine" ILIKE '%SentinelOne%')) THEN 65
    WHEN ("CommandLine" ILIKE '%tasklist%' AND ("CommandLine" ILIKE '%csagent%' OR "CommandLine" ILIKE '%sentinelagent%')) THEN 60
    ELSE 50
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352, 397)
  AND eventid IN (1, 4688)
  AND starttime > NOW() - 86400000
  AND (
    ("CommandLine" ILIKE '%wmic%' AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%'))
    OR (("CommandLine" ILIKE '%powershell%' OR "CommandLine" ILIKE '%pwsh%') AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%'))
    OR ("CommandLine" ILIKE '%tasklist%' AND ("CommandLine" ILIKE '%csagent%' OR "CommandLine" ILIKE '%msmpeng%' OR "CommandLine" ILIKE '%mbam%' OR "CommandLine" ILIKE '%sentinelagent%' OR "CommandLine" ILIKE '%cbdaemon%' OR "CommandLine" ILIKE '%cylancesvc%' OR "CommandLine" ILIKE '%falconhost%' OR "CommandLine" ILIKE '%xagt%' OR "CommandLine" ILIKE '%avgnt%' OR "CommandLine" ILIKE '%ekrn%' OR "CommandLine" ILIKE '%egui%' OR "CommandLine" ILIKE '%sophossps%' OR "CommandLine" ILIKE '%bdservicehost%'))
    OR ("CommandLine" ILIKE '%reg%' AND "CommandLine" ILIKE '%query%' AND ("CommandLine" ILIKE '%WinDefend%' OR "CommandLine" ILIKE '%Windows Defender%' OR "CommandLine" ILIKE '%ESET%' OR "CommandLine" ILIKE '%Kaspersky%' OR "CommandLine" ILIKE '%CrowdStrike%' OR "CommandLine" ILIKE '%SentinelOne%' OR "CommandLine" ILIKE '%Carbon Black%' OR "CommandLine" ILIKE '%Symantec%' OR "CommandLine" ILIKE '%McAfee%' OR "CommandLine" ILIKE '%Sophos%' OR "CommandLine" ILIKE '%Bitdefender%' OR "CommandLine" ILIKE '%Malwarebytes%'))
  )
ORDER BY RiskScore DESC, starttime DESC

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows Event Log QRadar WinCollect agent

Required Tables

events

False Positives

Endpoint management platforms (SCCM, Tanium, BigFix) performing scheduled compliance checks that query WMI for security product status
Automated vulnerability scanners or SIEM onboarding scripts that enumerate endpoint protection software to populate asset inventory
System administrators running manual triage commands to verify AV/EDR health after a reported incident on an endpoint

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json auto
| where EventID in ("1", "4688")
| where (
    (CommandLine matches "*wmic*" and (
      CommandLine matches "*SecurityCenter*" or
      CommandLine matches "*AntiVirusProduct*" or
      CommandLine matches "*AntiSpywareProduct*" or
      CommandLine matches "*FirewallProduct*"
    )) or
    ((CommandLine matches "*powershell*" or CommandLine matches "*pwsh*") and (
      CommandLine matches "*SecurityCenter*" or
      CommandLine matches "*AntiVirusProduct*" or
      CommandLine matches "*AntiSpywareProduct*" or
      CommandLine matches "*FirewallProduct*" or
      (CommandLine matches "*Get-WmiObject*" or CommandLine matches "*Get-CimInstance*" or CommandLine matches "*gcim*" or CommandLine matches "*gwmi*")
    )) or
    (CommandLine matches "*tasklist*" and (
      CommandLine matches "*ekrn*" or CommandLine matches "*egui*" or
      CommandLine matches "*msmpeng*" or CommandLine matches "*mbam*" or
      CommandLine matches "*csagent*" or CommandLine matches "*falconhost*" or
      CommandLine matches "*sentinelagent*" or CommandLine matches "*cbdaemon*" or
      CommandLine matches "*cylancesvc*" or CommandLine matches "*xagt*" or
      CommandLine matches "*avgnt*" or CommandLine matches "*avp.exe*" or
      CommandLine matches "*bdservicehost*" or CommandLine matches "*sophossps*"
    )) or
    (CommandLine matches "*reg*" and CommandLine matches "*query*" and (
      CommandLine matches "*WinDefend*" or CommandLine matches "*Windows Defender*" or
      CommandLine matches "*ESET*" or CommandLine matches "*Kaspersky*" or
      CommandLine matches "*CrowdStrike*" or CommandLine matches "*SentinelOne*" or
      CommandLine matches "*Carbon Black*" or CommandLine matches "*Symantec*" or
      CommandLine matches "*McAfee*" or CommandLine matches "*Sophos*" or
      CommandLine matches "*Bitdefender*" or CommandLine matches "*Malwarebytes*"
    ))
  )
| if (CommandLine matches "*wmic*" and CommandLine matches "*SecurityCenter*", "WMI_SecurityCenter2",
    if (CommandLine matches "*powershell*" and CommandLine matches "*SecurityCenter*", "PS_WMI_SecurityCenter2",
    if (CommandLine matches "*powershell*" and (CommandLine matches "*AntiVirusProduct*" or CommandLine matches "*AntiSpywareProduct*" or CommandLine matches "*FirewallProduct*"), "PS_WMI_SecurityCenter2",
    if (CommandLine matches "*tasklist*", "Process_Enum_AV",
    if (CommandLine matches "*reg*" and CommandLine matches "*query*", "Registry_AV_Query",
    "Other"))))) as DetectionSource
| if (DetectionSource = "WMI_SecurityCenter2", 80,
    if (DetectionSource = "PS_WMI_SecurityCenter2", 75,
    if (DetectionSource = "Registry_AV_Query", 65,
    if (DetectionSource = "Process_Enum_AV", 60,
    50)))) as RiskScore
| fields _messageTime, Computer, User, CommandLine, ParentCommandLine, Image, ParentImage, DetectionSource, RiskScore
| sort by RiskScore, _messageTime

medium severity high confidence

Data Sources

Sysmon via Windows Event Log Windows Security Event Log Sumo Logic Windows Collection Agent

Required Tables

windows/sysmon windows/security

False Positives

Endpoint management and patch management systems (e.g., SCCM, Qualys, Rapid7) that regularly check WMI SecurityCenter2 for compliance posture reporting
SOC or helpdesk runbooks that include checking AV product status via PowerShell or WMIC as part of standard triage procedures for incident response tickets
Software deployment scripts that verify pre-existing security product presence before installing new endpoint agents to avoid conflicts

Google Chronicle / SecOps

yaral

rule security_software_discovery_t1518_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects adversary enumeration of installed security software via WMI SecurityCenter2, PowerShell CIM/WMI queries, process enumeration of known AV/EDR binaries, and registry inspection of security vendor keys — MITRE ATT&CK T1518.001"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1518.001"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $image
    (
      (
        re.regex($image, `(?i)\\wmic\.exe$`) and
        (
          re.regex($cmdline, `(?i)SecurityCenter`) or
          re.regex($cmdline, `(?i)(AntiVirusProduct|AntiSpywareProduct|FirewallProduct)`)
        )
      ) or
      (
        re.regex($image, `(?i)\\(powershell|pwsh)\.exe$`) and
        (
          re.regex($cmdline, `(?i)SecurityCenter`) or
          re.regex($cmdline, `(?i)(AntiVirusProduct|AntiSpywareProduct|FirewallProduct)`) or
          (
            re.regex($cmdline, `(?i)(Get-WmiObject|Get-CimInstance|gwmi|gcim|Invoke-WmiMethod)`) and
            re.regex($cmdline, `(?i)(AntiVirusProduct|AntiSpywareProduct|FirewallProduct|SecurityCenter)`)
          )
        )
      ) or
      (
        re.regex($image, `(?i)\\tasklist\.exe$`) and
        re.regex($cmdline, `(?i)(ekrn|egui|mssense|msmpeng|mbam|mbamservice|avp\.exe|avguard|avgnt|avscan|avastui|avastsvc|bdservicehost|bdredline|bdagent|sophosav|sophossps|savservice|hmpalert|csfalconservice|csagent|falconhost|cbdaemon|carbonblackk|sentinelagent|sentinelservicehost|cylancesvc|taniumclient|xagt|hxtsr)`)
      ) or
      (
        re.regex($image, `(?i)\\reg\.exe$`) and
        re.regex($cmdline, `(?i)query`) and
        re.regex($cmdline, `(?i)(WinDefend|Windows.Defender|\\\\ESET|Kaspersky.Lab|McAfee|Sophos|CrowdStrike|Carbon.Black|SentinelOne|Cylance|Symantec|Bitdefender|Malwarebytes|Avast|\\\\AVG)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint via Chronicle Forwarder Sysmon via Chronicle ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Enterprise IT asset management tools running scheduled WMI queries against SecurityCenter2 to populate CMDB security posture fields for compliance dashboards
Security operations automation scripts querying installed AV/EDR products during automated incident triage workflows to confirm protection is active
Third-party SIEM or XDR onboarding agents that enumerate endpoint security software to configure data sources and telemetry routing during initial deployment

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /\\(wmic|powershell|pwsh|tasklist|reg)\.exe$/i
| CommandLine = /(SecurityCenter|AntiVirusProduct|AntiSpywareProduct|FirewallProduct|Get-WmiObject|Get-CimInstance|gwmi|gcim|ekrn|egui|msmpeng|mbam|csagent|falconhost|sentinelagent|cbdaemon|cylancesvc|xagt|avgnt|avp\.exe|bdservicehost|sophossps|WinDefend|Windows Defender|ESET|Kaspersky|CrowdStrike|SentinelOne|Carbon Black|Symantec|McAfee|Sophos|Bitdefender|Malwarebytes)/i
| case {
    ImageFileName = /wmic\.exe/i AND CommandLine = /SecurityCenter/i | DetectionSource := "WMI_SecurityCenter2" | RiskScore := 80;
    ImageFileName = /wmic\.exe/i AND CommandLine = /(AntiVirusProduct|AntiSpywareProduct|FirewallProduct)/i | DetectionSource := "WMI_SecurityCenter2" | RiskScore := 80;
    ImageFileName = /(powershell|pwsh)\.exe/i AND CommandLine = /(SecurityCenter|AntiVirusProduct|AntiSpywareProduct|FirewallProduct)/i | DetectionSource := "PS_WMI_SecurityCenter2" | RiskScore := 75;
    ImageFileName = /tasklist\.exe/i | DetectionSource := "Process_Enum_AV" | RiskScore := 60;
    ImageFileName = /reg\.exe/i AND CommandLine = /query/i | DetectionSource := "Registry_AV_Query" | RiskScore := 65;
    * | DetectionSource := "Other" | RiskScore := 50;
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionSource, RiskScore])
| sort(RiskScore, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2

False Positives

Falcon sensor self-diagnostic or health-check routines that may inspect co-installed security products for compatibility verification during updates
Managed detection and response (MDR) scripts executed during investigation workflows that query installed security tools to assess endpoint defense posture
Software packaging or deployment automation that checks for conflicting security products before installing a new EDR agent to prevent multi-agent conflicts

Last updated: 2026-04-20 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1518.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Security Software Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections