Techniques
Sample rules
Security Software Discovery via Grep
- source: elastic
- technicques:
- T1518
Description
Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.
Detection logic
process where event.type == "start" and
process.name : "grep" and user.id != "0" and
not process.parent.executable : ("/Library/Application Support/*", "/opt/McAfee/agent/scripts/ma") and
process.args :
("Little Snitch*",
"Avast*",
"Avira*",
"ESET*",
"BlockBlock*",
"360Sec*",
"LuLu*",
"KnockKnock*",
"kav",
"KIS",
"RTProtectionDaemon*",
"Malware*",
"VShieldScanner*",
"WebProtection*",
"webinspectord*",
"McAfee*",
"isecespd*",
"macmnsvc*",
"masvc*",
"kesl*",
"avscan*",
"guard*",
"rtvscand*",
"symcfgd*",
"scmdaemon*",
"symantec*",
"sophos*",
"osquery*",
"elastic-endpoint*"
) and
not (
(process.args : "Avast" and process.args : "Passwords") or
(process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or
(process.command_line : (
"grep ESET Command-line scanner, version %s -A2",
"grep -i McAfee Web Gateway Core version:",
"grep --color=auto ESET Command-line scanner, version %s -A2"
)
) or
(process.parent.command_line : (
"""sh -c printf "command_start_%s"*; perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf "command_done_%s*""",
"""bash -c perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1"""
)
)
)