Skip to content

DET0016 Security Software Discovery Across Platforms

Item Value
ID DET0016
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1518.001 (Security Software Discovery)

Analytics

Windows

AN0048

Adversary executes commands to enumerate installed antivirus, EDR, or firewall agents using WMI, registry queries, and built-in tools (e.g., tasklist, netsh, sc query). Correlated with elevated process privileges or scripting engine usage.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
ParentProcess Defenders can tune based on trusted or known-good parent process relationships
ImagePathContains Regex match on adversary tool or enumeration script used

Linux

AN0049

Adversary runs discovery commands such as ps aux, systemctl status, or cat /etc/init.d/ to enumerate security software or services. Often occurs alongside privilege escalation or bash script execution.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
ExecutableName Adjust for custom script names or wrappers used in the environment
TimeWindow Tuning threshold for multiple enumeration commands within short duration

macOS

AN0050

Adversary attempts to detect monitoring agents such as Little Snitch, KnockKnock, or other system daemons via process listing (ps -e), application folder checks, and system extension listing.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog execution of security-agent detection or enumeration commands
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
ToolNameMatch Adversary may search for specific software names; defenders can tune based on local deployments