Detect Security Software Discovery in Microsoft Sentinel
Adversaries enumerate installed security software, defensive tools, and monitoring agents prior to executing payloads or deploying evasion techniques. By identifying what endpoint protection, EDR, firewalls, and cloud monitoring agents are present, adversaries can determine whether to proceed with infection, disable specific defenses, or select evasion techniques tailored to the detected product. Common methods include WMI queries to the SecurityCenter2 namespace (enumerating AntiVirusProduct, FirewallProduct, AntiSpywareProduct classes), PowerShell Get-WmiObject/Get-CimInstance targeting security product WMI classes, tasklist and WMIC process enumeration filtered to known AV/EDR binary names, and registry inspection of installed software keys for security vendor paths. Threat actors including Darkhotel, Clop, QakBot, Raspberry Robin, TONESHELL (Mustang Panda), and Sidewinder are documented performing this technique in the wild.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1518 Software Discovery
- Sub-technique
- T1518.001 Security Software Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1518/001/
KQL Detection Query
let AvProcessNames = dynamic([
"ekrn.exe", "egui.exe", "mssense.exe", "msmpeng.exe", "mbam.exe", "mbamservice.exe",
"avp.exe", "avguard.exe", "avgnt.exe", "avscan.exe", "avastui.exe", "avastsvc.exe",
"bdservicehost.exe", "bdredline.exe", "bdagent.exe",
"sophosav.exe", "sophossps.exe", "savservice.exe", "hmpalert.exe",
"csfalconservice.exe", "csagent.exe", "falconhost.exe",
"cbdaemon.exe", "carbonblackk.exe",
"sentinelagent.exe", "sentinelservicehost.exe", "sentinelstaticengine.exe",
"cybereason", "amsi", "cylancesvc.exe", "taniumclient.exe",
"fireeye", "xagt.exe", "trellix", "hxtsr.exe"
]);
// WMI SecurityCenter2 namespace queries — highest fidelity indicator
let WmiSecCenter = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "SecurityCenter"
or (ProcessCommandLine has_any ("AntiVirusProduct", "AntiSpywareProduct", "FirewallProduct")
and ProcessCommandLine has_any ("displayName", "Get", "path"))
| extend DetectionSource = "WMI_SecurityCenter2", RiskScore = 80;
// PowerShell WMI/CIM queries targeting security product classes
let PsWmiSec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "SecurityCenter"
or (ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi", "gcim", "Invoke-WmiMethod")
and ProcessCommandLine has_any ("AntiVirusProduct", "AntiSpywareProduct", "FirewallProduct"))
| extend DetectionSource = "PS_WMI_SecurityCenter2", RiskScore = 75;
// Tasklist or WMIC process enumeration filtered to known AV/EDR binary names
let ProcessEnumAv = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("tasklist.exe", "wmic.exe")
| where ProcessCommandLine has_any (AvProcessNames)
| extend DetectionSource = "Process_Enum_AV", RiskScore = 60;
// Registry queries targeting known security vendor install paths
let RegAvQuery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has "query"
| where ProcessCommandLine has_any (
"SYSTEM\\CurrentControlSet\\Services\\WinDefend",
"SOFTWARE\\Microsoft\\Windows Defender",
"SOFTWARE\\ESET", "SOFTWARE\\Kaspersky Lab",
"SOFTWARE\\McAfee", "SOFTWARE\\Sophos",
"SOFTWARE\\CrowdStrike", "SOFTWARE\\Carbon Black",
"SOFTWARE\\SentinelOne", "SOFTWARE\\Cylance",
"SOFTWARE\\Symantec", "SOFTWARE\\Bitdefender",
"SOFTWARE\\Malwarebytes", "SOFTWARE\\Avast", "SOFTWARE\\AVG")
| extend DetectionSource = "Registry_AV_Query", RiskScore = 65;
union WmiSecCenter, PsWmiSec, ProcessEnumAv, RegAvQuery
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionSource, RiskScore
| sort by Timestamp descDetects security software discovery attempts via four complementary method vectors: (1) WMI queries to SecurityCenter2 namespace using wmic.exe — highest fidelity, directly matches documented PUBLOAD/Sidewinder/QakBot tradecraft; (2) PowerShell Get-WmiObject/Get-CimInstance queries targeting AntiVirusProduct/AntiSpywareProduct/FirewallProduct WMI classes; (3) tasklist/wmic process enumeration filtered to a dynamic list of known AV and EDR binary names (including CrowdStrike, SentinelOne, ESET, Carbon Black, Malwarebytes); (4) reg.exe queries targeting known security vendor registry paths. RiskScore is assigned per detection source to help prioritize analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management and inventory platforms (Lansweeper, ServiceNow Discovery, SCCM hardware inventory agent) that query WMI SecurityCenter2 during scheduled asset collection cycles
- Vulnerability scanners (Tenable Nessus, Qualys Cloud Agent, Rapid7 InsightVM) enumerating endpoint security posture during credentialed network scans
- Help desk and ITSM automation scripts that check AV product status or version before creating incident tickets or routing to the appropriate support team
- Endpoint compliance tools (Ivanti, Tanium Comply, BigFix) performing scheduled security policy audits that verify required security software is installed and running
- Internal security operations scripts run by SOC analysts or engineers during incident response or baseline auditing activities
Other platforms for T1518.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI SecurityCenter2 AV Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'SecurityCenter2' and 'AntiVirusProduct'. Security Event ID 4688 (if command line auditing enabled). Microsoft-Windows-WMI-Activity/Operational Event ID 5857 for SecurityCenter2 provider load.
- Test 2PowerShell Get-WmiObject AntiVirusProduct Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SecurityCenter2' and 'AntiVirusProduct'. PowerShell ScriptBlock Log Event ID 4104 capturing the full Get-WmiObject command. No network connection expected.
- Test 3Tasklist Process Enumeration for AV Binary Names
Expected signal: Multiple Sysmon Event ID 1 entries for tasklist.exe, each with CommandLine containing the respective AV binary name filter. Security Event ID 4688 entries if command line auditing is enabled. No file or network events expected.
- Test 4Registry Query for Installed Security Software
Expected signal: Multiple Sysmon Event ID 1 entries for reg.exe with CommandLine containing 'query' and the respective vendor path. Security Event ID 4688 if command line auditing enabled. Registry queries will return data on installed products or 'ERROR: The system was unable to find the specified registry key or value' for absent products.
References (9)
- https://attack.mitre.org/techniques/T1518/001/
- https://securelist.com/the-darkhotel-apt/66779/
- https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-financial-industries.html
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-namespaces
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_security_software_discovery.yml
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sidewinder-apt-group-active-iocs
- https://www.malwarebytes.com/blog/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure
Unlock Pro Content
Get the full detection package for T1518.001 including response playbook, investigation guide, and atomic red team tests.