Adversary executes commands to enumerate installed antivirus, EDR, or firewall agents using WMI, registry queries, and built-in tools (e.g., tasklist, netsh, sc query). Correlated with elevated process privileges or scripting engine usage.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| ParentProcess | Defenders can tune based on trusted or known-good parent process relationships |
| ImagePathContains | Regex match on adversary tool or enumeration script used |
Adversary runs discovery commands such as ps aux, systemctl status, or cat /etc/init.d/ to enumerate security software or services. Often occurs alongside privilege escalation or bash script execution.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| ExecutableName | Adjust for custom script names or wrappers used in the environment |
| TimeWindow | Tuning threshold for multiple enumeration commands within short duration |
Adversary attempts to detect monitoring agents such as Little Snitch, KnockKnock, or other system daemons via process listing (ps -e), application folder checks, and system extension listing.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | execution of security-agent detection or enumeration commands |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| ToolNameMatch | Adversary may search for specific software names; defenders can tune based on local deployments |