Which SIEM platforms have a T1518.001 detection rule?

df00tech provides T1518.001 (Security Software Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Security Software Discovery (T1518.001)?

Detecting Security Software Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1518.001 detection?

The T1518.001 detection is rated medium severity with high confidence.

What are common false positives for T1518.001?

Common false positives for T1518.001 include: IT asset management and inventory platforms (Lansweeper, ServiceNow Discovery, SCCM hardware inventory agent) that query WMI SecurityCenter2 during scheduled asset collection cycles; Vulnerability scanners (Tenable Nessus, Qualys Cloud Agent, Rapid7 InsightVM) enumerating endpoint security posture during credentialed network scans; Help desk and ITSM automation scripts that check AV product status or version before creating incident tickets or routing to the appropriate support team.

T1518.001 IBM QRadar · QRadar

Detect Security Software Discovery in IBM QRadar

Adversaries enumerate installed security software, defensive tools, and monitoring agents prior to executing payloads or deploying evasion techniques. By identifying what endpoint protection, EDR, firewalls, and cloud monitoring agents are present, adversaries can determine whether to proceed with infection, disable specific defenses, or select evasion techniques tailored to the detected product. Common methods include WMI queries to the SecurityCenter2 namespace (enumerating AntiVirusProduct, FirewallProduct, AntiSpywareProduct classes), PowerShell Get-WmiObject/Get-CimInstance targeting security product WMI classes, tasklist and WMIC process enumeration filtered to known AV/EDR binary names, and registry inspection of installed software keys for security vendor paths. Threat actors including Darkhotel, Clop, QakBot, Raspberry Robin, TONESHELL (Mustang Panda), and Sidewinder are documented performing this technique in the wild.

MITRE ATT&CK

Tactic: Discovery
Technique: T1518 Software Discovery
Sub-technique: T1518.001 Security Software Discovery
Canonical reference: https://attack.mitre.org/techniques/T1518/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "SourcePayload",
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  "CommandLine",
  "ParentCommandLine",
  CASE
    WHEN ("CommandLine" ILIKE '%wmic%' AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%')) THEN 'WMI_SecurityCenter2'
    WHEN ("CommandLine" ILIKE '%powershell%' AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%')) THEN 'PS_WMI_SecurityCenter2'
    WHEN ("CommandLine" ILIKE '%tasklist%' AND ("CommandLine" ILIKE '%csagent%' OR "CommandLine" ILIKE '%msmpeng%' OR "CommandLine" ILIKE '%mbam%' OR "CommandLine" ILIKE '%sentinelagent%' OR "CommandLine" ILIKE '%cbdaemon%' OR "CommandLine" ILIKE '%cylancesvc%' OR "CommandLine" ILIKE '%falconhost%' OR "CommandLine" ILIKE '%xagt%' OR "CommandLine" ILIKE '%avgnt%' OR "CommandLine" ILIKE '%avp.exe%' OR "CommandLine" ILIKE '%bdservicehost%' OR "CommandLine" ILIKE '%sophossps%' OR "CommandLine" ILIKE '%ekrn%' OR "CommandLine" ILIKE '%egui%')) THEN 'Process_Enum_AV'
    WHEN ("CommandLine" ILIKE '%reg%query%' AND ("CommandLine" ILIKE '%WinDefend%' OR "CommandLine" ILIKE '%Windows Defender%' OR "CommandLine" ILIKE '%ESET%' OR "CommandLine" ILIKE '%Kaspersky%' OR "CommandLine" ILIKE '%CrowdStrike%' OR "CommandLine" ILIKE '%SentinelOne%' OR "CommandLine" ILIKE '%Carbon Black%' OR "CommandLine" ILIKE '%Symantec%' OR "CommandLine" ILIKE '%McAfee%' OR "CommandLine" ILIKE '%Sophos%' OR "CommandLine" ILIKE '%Bitdefender%' OR "CommandLine" ILIKE '%Malwarebytes%')) THEN 'Registry_AV_Query'
    ELSE 'Other'
  END AS DetectionSource,
  CASE
    WHEN ("CommandLine" ILIKE '%wmic%' AND "CommandLine" ILIKE '%SecurityCenter%') THEN 80
    WHEN ("CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%SecurityCenter%') THEN 75
    WHEN ("CommandLine" ILIKE '%reg%query%' AND ("CommandLine" ILIKE '%WinDefend%' OR "CommandLine" ILIKE '%CrowdStrike%' OR "CommandLine" ILIKE '%SentinelOne%')) THEN 65
    WHEN ("CommandLine" ILIKE '%tasklist%' AND ("CommandLine" ILIKE '%csagent%' OR "CommandLine" ILIKE '%sentinelagent%')) THEN 60
    ELSE 50
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352, 397)
  AND eventid IN (1, 4688)
  AND starttime > NOW() - 86400000
  AND (
    ("CommandLine" ILIKE '%wmic%' AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%'))
    OR (("CommandLine" ILIKE '%powershell%' OR "CommandLine" ILIKE '%pwsh%') AND ("CommandLine" ILIKE '%SecurityCenter%' OR "CommandLine" ILIKE '%AntiVirusProduct%' OR "CommandLine" ILIKE '%AntiSpywareProduct%' OR "CommandLine" ILIKE '%FirewallProduct%'))
    OR ("CommandLine" ILIKE '%tasklist%' AND ("CommandLine" ILIKE '%csagent%' OR "CommandLine" ILIKE '%msmpeng%' OR "CommandLine" ILIKE '%mbam%' OR "CommandLine" ILIKE '%sentinelagent%' OR "CommandLine" ILIKE '%cbdaemon%' OR "CommandLine" ILIKE '%cylancesvc%' OR "CommandLine" ILIKE '%falconhost%' OR "CommandLine" ILIKE '%xagt%' OR "CommandLine" ILIKE '%avgnt%' OR "CommandLine" ILIKE '%ekrn%' OR "CommandLine" ILIKE '%egui%' OR "CommandLine" ILIKE '%sophossps%' OR "CommandLine" ILIKE '%bdservicehost%'))
    OR ("CommandLine" ILIKE '%reg%' AND "CommandLine" ILIKE '%query%' AND ("CommandLine" ILIKE '%WinDefend%' OR "CommandLine" ILIKE '%Windows Defender%' OR "CommandLine" ILIKE '%ESET%' OR "CommandLine" ILIKE '%Kaspersky%' OR "CommandLine" ILIKE '%CrowdStrike%' OR "CommandLine" ILIKE '%SentinelOne%' OR "CommandLine" ILIKE '%Carbon Black%' OR "CommandLine" ILIKE '%Symantec%' OR "CommandLine" ILIKE '%McAfee%' OR "CommandLine" ILIKE '%Sophos%' OR "CommandLine" ILIKE '%Bitdefender%' OR "CommandLine" ILIKE '%Malwarebytes%'))
  )
ORDER BY RiskScore DESC, starttime DESC

medium severity medium confidence

AQL query for IBM QRadar detecting security software discovery via process creation events (Sysmon EventID 1 or Windows Security 4688). Correlates command-line patterns for WMI SecurityCenter2 enumeration, PowerShell security class queries, tasklist AV process enumeration, and registry key inspection of security vendor paths.

Data Sources

Microsoft Windows Security Event LogSysmon via Windows Event LogQRadar WinCollect agent

Required Tables

events

False Positives & Tuning

Endpoint management platforms (SCCM, Tanium, BigFix) performing scheduled compliance checks that query WMI for security product status
Automated vulnerability scanners or SIEM onboarding scripts that enumerate endpoint protection software to populate asset inventory
System administrators running manual triage commands to verify AV/EDR health after a reported incident on an endpoint

Download portable Sigma rule (.yml)

Other platforms for T1518.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1WMI SecurityCenter2 AV Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'SecurityCenter2' and 'AntiVirusProduct'. Security Event ID 4688 (if command line auditing enabled). Microsoft-Windows-WMI-Activity/Operational Event ID 5857 for SecurityCenter2 provider load.
Test 2PowerShell Get-WmiObject AntiVirusProduct Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SecurityCenter2' and 'AntiVirusProduct'. PowerShell ScriptBlock Log Event ID 4104 capturing the full Get-WmiObject command. No network connection expected.
Test 3Tasklist Process Enumeration for AV Binary Names
Expected signal: Multiple Sysmon Event ID 1 entries for tasklist.exe, each with CommandLine containing the respective AV binary name filter. Security Event ID 4688 entries if command line auditing is enabled. No file or network events expected.
Test 4Registry Query for Installed Security Software
Expected signal: Multiple Sysmon Event ID 1 entries for reg.exe with CommandLine containing 'query' and the respective vendor path. Security Event ID 4688 if command line auditing enabled. Registry queries will return data on installed products or 'ERROR: The system was unable to find the specified registry key or value' for absent products.

Last updated: 2026-04-20 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1518.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Security Software Discovery in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1518.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1518.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox