Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.
| ID | Name | Description |
|---|---|---|
| S1094 | BRATA |
BRATA can search for specifically installed security applications.[1] |
| S0522 | Exobot |
Exobot can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.[2] |
| S0406 | Gustuff |
Gustuff checks for antivirus software contained in a predefined list.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version |
Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.[4] |
| M1011 | User Guidance |
iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0680 | Detection of Security Software Discovery | AN1784 |
Defender observes an app enumerating installed security/management controls (AV/EDR/MDM/VPN/Play Protect) via PackageManager, DevicePolicyManager, AppOps, and Settings queries or shell ‘pm list’ usage, optionally probing Accessibility/Device Admin state. Enumeration is followed by local inventory artifact creation and/or small egress. Chain: capability to query → burst of security-focused checks (packages/permissions/policies) → optional foreground targeting → artifact write → quick POST. |
| AN1785 |
Defender correlates app attempts to enumerate or infer security/management tooling (ManagedConfiguration/MDM presence, VPN/NEFilter config, AV/EDR app presence via LaunchServices or URL-scheme probing, private APIs) with local inventory persistence and egress. Chain: probe (MDM/NE/VPN/AV presence) → burst of LS/canOpenURL/ManagedConfiguration calls → inventory cache write → small POST. |