T1518.001 Sumo Logic CSE · Sumo

Detect Security Software Discovery in Sumo Logic CSE

Adversaries enumerate installed security software, defensive tools, and monitoring agents prior to executing payloads or deploying evasion techniques. By identifying what endpoint protection, EDR, firewalls, and cloud monitoring agents are present, adversaries can determine whether to proceed with infection, disable specific defenses, or select evasion techniques tailored to the detected product. Common methods include WMI queries to the SecurityCenter2 namespace (enumerating AntiVirusProduct, FirewallProduct, AntiSpywareProduct classes), PowerShell Get-WmiObject/Get-CimInstance targeting security product WMI classes, tasklist and WMIC process enumeration filtered to known AV/EDR binary names, and registry inspection of installed software keys for security vendor paths. Threat actors including Darkhotel, Clop, QakBot, Raspberry Robin, TONESHELL (Mustang Panda), and Sidewinder are documented performing this technique in the wild.

MITRE ATT&CK

Tactic
Discovery
Technique
T1518 Software Discovery
Sub-technique
T1518.001 Security Software Discovery
Canonical reference
https://attack.mitre.org/techniques/T1518/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json auto
| where EventID in ("1", "4688")
| where (
    (CommandLine matches "*wmic*" and (
      CommandLine matches "*SecurityCenter*" or
      CommandLine matches "*AntiVirusProduct*" or
      CommandLine matches "*AntiSpywareProduct*" or
      CommandLine matches "*FirewallProduct*"
    )) or
    ((CommandLine matches "*powershell*" or CommandLine matches "*pwsh*") and (
      CommandLine matches "*SecurityCenter*" or
      CommandLine matches "*AntiVirusProduct*" or
      CommandLine matches "*AntiSpywareProduct*" or
      CommandLine matches "*FirewallProduct*" or
      (CommandLine matches "*Get-WmiObject*" or CommandLine matches "*Get-CimInstance*" or CommandLine matches "*gcim*" or CommandLine matches "*gwmi*")
    )) or
    (CommandLine matches "*tasklist*" and (
      CommandLine matches "*ekrn*" or CommandLine matches "*egui*" or
      CommandLine matches "*msmpeng*" or CommandLine matches "*mbam*" or
      CommandLine matches "*csagent*" or CommandLine matches "*falconhost*" or
      CommandLine matches "*sentinelagent*" or CommandLine matches "*cbdaemon*" or
      CommandLine matches "*cylancesvc*" or CommandLine matches "*xagt*" or
      CommandLine matches "*avgnt*" or CommandLine matches "*avp.exe*" or
      CommandLine matches "*bdservicehost*" or CommandLine matches "*sophossps*"
    )) or
    (CommandLine matches "*reg*" and CommandLine matches "*query*" and (
      CommandLine matches "*WinDefend*" or CommandLine matches "*Windows Defender*" or
      CommandLine matches "*ESET*" or CommandLine matches "*Kaspersky*" or
      CommandLine matches "*CrowdStrike*" or CommandLine matches "*SentinelOne*" or
      CommandLine matches "*Carbon Black*" or CommandLine matches "*Symantec*" or
      CommandLine matches "*McAfee*" or CommandLine matches "*Sophos*" or
      CommandLine matches "*Bitdefender*" or CommandLine matches "*Malwarebytes*"
    ))
  )
| if (CommandLine matches "*wmic*" and CommandLine matches "*SecurityCenter*", "WMI_SecurityCenter2",
    if (CommandLine matches "*powershell*" and CommandLine matches "*SecurityCenter*", "PS_WMI_SecurityCenter2",
    if (CommandLine matches "*powershell*" and (CommandLine matches "*AntiVirusProduct*" or CommandLine matches "*AntiSpywareProduct*" or CommandLine matches "*FirewallProduct*"), "PS_WMI_SecurityCenter2",
    if (CommandLine matches "*tasklist*", "Process_Enum_AV",
    if (CommandLine matches "*reg*" and CommandLine matches "*query*", "Registry_AV_Query",
    "Other"))))) as DetectionSource
| if (DetectionSource = "WMI_SecurityCenter2", 80,
    if (DetectionSource = "PS_WMI_SecurityCenter2", 75,
    if (DetectionSource = "Registry_AV_Query", 65,
    if (DetectionSource = "Process_Enum_AV", 60,
    50)))) as RiskScore
| fields _messageTime, Computer, User, CommandLine, ParentCommandLine, Image, ParentImage, DetectionSource, RiskScore
| sort by RiskScore, _messageTime
medium severity high confidence

Sumo Logic query detecting security software discovery through process creation logs (Sysmon or Windows Security). Identifies WMI SecurityCenter2 namespace enumeration, PowerShell security class queries, tasklist AV binary name filtering, and registry queries targeting known security vendor software paths.

Data Sources

Sysmon via Windows Event LogWindows Security Event LogSumo Logic Windows Collection Agent

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

  • Endpoint management and patch management systems (e.g., SCCM, Qualys, Rapid7) that regularly check WMI SecurityCenter2 for compliance posture reporting
  • SOC or helpdesk runbooks that include checking AV product status via PowerShell or WMIC as part of standard triage procedures for incident response tickets
  • Software deployment scripts that verify pre-existing security product presence before installing new endpoint agents to avoid conflicts
Download portable Sigma rule (.yml)

Other platforms for T1518.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI SecurityCenter2 AV Enumeration via WMIC

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'SecurityCenter2' and 'AntiVirusProduct'. Security Event ID 4688 (if command line auditing enabled). Microsoft-Windows-WMI-Activity/Operational Event ID 5857 for SecurityCenter2 provider load.

  2. Test 2PowerShell Get-WmiObject AntiVirusProduct Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SecurityCenter2' and 'AntiVirusProduct'. PowerShell ScriptBlock Log Event ID 4104 capturing the full Get-WmiObject command. No network connection expected.

  3. Test 3Tasklist Process Enumeration for AV Binary Names

    Expected signal: Multiple Sysmon Event ID 1 entries for tasklist.exe, each with CommandLine containing the respective AV binary name filter. Security Event ID 4688 entries if command line auditing is enabled. No file or network events expected.

  4. Test 4Registry Query for Installed Security Software

    Expected signal: Multiple Sysmon Event ID 1 entries for reg.exe with CommandLine containing 'query' and the respective vendor path. Security Event ID 4688 if command line auditing enabled. Registry queries will return data on installed products or 'ERROR: The system was unable to find the specified registry key or value' for absent products.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1518.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1518Software Discovery

Related Sub-techniques

T1518.002Backup Software Discovery

Related Techniques

T1518Software DiscoveryT1082System Information DiscoveryT1057Process DiscoveryT1047Windows Management InstrumentationT1562.001Disable or Modify ToolsT1562.004Disable or Modify System FirewallT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1083File and Directory DiscoveryT1652Device Driver Discovery

Same Tactic: Discovery

Popular Detections