attack.t1518.001

Security Tools Keyword Lookup Via Findstr.EXE

Nov 15, 2023 · attack.discovery attack.t1518.001 ·

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE

Nov 15, 2023 · attack.discovery attack.t1518.001 ·

Share on:

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Security Software Discovery Via Powershell Script

Oct 28, 2023 · attack.discovery attack.t1518.001 ·

Share on:

Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

Security Software Discovery - Linux

Nov 28, 2022 · attack.discovery attack.t1518.001 ·

Share on:

Detects usage of system utilities (only grep and egrep for now) to discover security software discovery

Security Software Discovery - MacOs

Nov 28, 2022 · attack.discovery attack.t1518.001 ·

Share on:

Detects usage of system utilities (only grep for now) to discover security software discovery