245. That's How TamperedChef Queries the System for Security Products
Hello everyone! It's very important for an adversary to collect information about security software available on the compromised system. Let's look at another real-world example demonstrating how threat actors leverage Security Software Discovery (T1518.001) and Query Registry (T1012) . So, according to this report , TamperedChef abused reg.exe (yes, again) to query system registry on order to obtain information about security software installed, for example: reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender" /v "UninstallString" We can use security software names to build our detection: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("query" AND ("bitdefender" OR "g data antivirus" OR "checkpoint" OR "kasperskylabsetup" OR "fortinet" OR "zillya antivirus")) See you tomorrow!