title: Security Software Discovery (T1518.001)
id: df00tech-t1518-001
status: experimental
description: "Adversaries enumerate installed security software, defensive tools, and monitoring agents prior to executing payloads or deploying evasion techniques. By identifying what endpoint protection, EDR, firewalls, and cloud monitoring agents are present, adversaries can determine whether to proceed with infection, disable specific defenses, or select evasion techniques tailored to the detected product. Common methods include WMI queries to the SecurityCenter2 namespace (enumerating AntiVirusProduct, FirewallProduct, AntiSpywareProduct classes), PowerShell Get-WmiObject/Get-CimInstance targeting security product WMI classes, tasklist and WMIC process enumeration filtered to known AV/EDR binary names, and registry inspection of installed software keys for security vendor paths. Threat actors including Darkhotel, Clop, QakBot, Raspberry Robin, TONESHELL (Mustang Panda), and Sidewinder are documented performing this technique in the wild."
references:
  - https://attack.mitre.org/techniques/T1518/001/
  - https://df00tech.com/detections/T1518.001
author: df00tech
date: 2026/04/20
tags:
  - attack.t1518.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT asset management and inventory platforms (Lansweeper, ServiceNow Discovery, SCCM hardware inventory agent) that query WMI SecurityCenter2 during scheduled asset collection cycles"
  - "Vulnerability scanners (Tenable Nessus, Qualys Cloud Agent, Rapid7 InsightVM) enumerating endpoint security posture during credentialed network scans"
  - Help desk and ITSM automation scripts that check AV product status or version before creating incident tickets or routing to the appropriate support team
  - "Endpoint compliance tools (Ivanti, Tanium Comply, BigFix) performing scheduled security policy audits that verify required security software is installed and running"
  - Internal security operations scripts run by SOC analysts or engineers during incident response or baseline auditing activities
level: medium