Security Software Discovery

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools.

Windows

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.

Mac

It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

ID: T1063

Tactic: Discovery

Platform:  macOS, Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  File monitoring, Process monitoring, Process command-line parameters

Version: 2.0

Examples

NameDescription
Astaroth

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder.[1]

BadPatch

BadPatch uses WMI to enumerate installed security products in the victim’s environment.[2]

CHOPSTICK

CHOPSTICK checks for anti-virus and forensics software.[3]

Cobalt Group

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[4]

Comnie

Comnie attempts to detect several anti-virus products.[5]

CozyCar

The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[6]

Crimson

Crimson contains a command to collect information about anti-virus software on the victim.[7]

Darkhotel

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[8]

DustySky

DustySky checks for the existence of anti-virus.[9]

Empire

Empire can enumerate antivirus software on the target.[10]

Epic

Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[11]

Exaramel

Exaramel checks for anti-virus software installed on the victim’s machine.[12]

Felismus

Felismus checks for processes associated with anti-virus vendors.[13]

FELIXROOT

FELIXROOT checks for installed security software like antivirus and firewall.[14]

FIN8

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[15]

FinFisher

FinFisher probes the system to check for antimalware processes.[16][17]

Flame

Flame identifies security software such as antivirus through the Security module.[18][19]

Gold Dragon

Gold Dragon checks for anti-malware products and processes.[20]

JPIN

JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[21]

jRAT

jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[22][23]

Kasidet

Kasidet has the ability to identify any anti-virus installed on the infected system.[24]

Micropsia

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[25][26]

More_eggs

More_eggs can obtain information on installed anti-malware programs.[27]

Mosquito

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[28]

MuddyWater

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[29]

Naikon

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[30]

netsh

netsh can be used to discover system firewall settings.[31][32]

Patchwork

Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool).[33]

POWERSTATS

POWERSTATS has detected security tools.[34]

POWRUNER

POWRUNER may collect information the victim's anti-virus software.[35]

Prikormka

A module in Prikormka collects information from the victim about installed anti-virus software.[36]

Remsec

Remsec has a plugin to detect active drivers of some security products.[37]

RogueRobin

RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[38][39]

ROKRAT

ROKRAT checks for debugging tools.[40]

RTM

RTM can obtain information about security software on the victim.[41]

StreamEx

StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.[42]

T9000

T9000 performs checks for various antivirus and security products during installation.[43]

Tasklist

Tasklist can be used to enumerate security software currently running on a system by process name of known products.[44]

Tropic Trooper

Tropic Trooper searches for anti-virus software running on the system.[45]

VERMIN

VERMIN uses WMI to check for anti-virus software installed on the system.[46]

Wingbird

Wingbird checks for the presence of Bitdefender security software.[47]

Zeus Panda

Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.[48][49]

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting [50] tools, like AppLocker, [51] [52] or Software Restriction Policies [53] where appropriate. [54]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  2. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  3. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  4. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  5. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  6. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  7. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  8. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  9. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  12. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  13. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  14. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  15. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  16. FinFisher. (n.d.). Retrieved December 20, 2017.
  17. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  18. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  19. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  20. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  21. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  22. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  23. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  24. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  25. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  26. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  27. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  1. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  2. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  3. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  4. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  5. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  6. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  7. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  8. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  9. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  10. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  11. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  12. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  13. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  14. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  15. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  16. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  17. Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
  18. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  19. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  20. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  21. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  22. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  23. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  24. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  25. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  26. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  27. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.