This note documents detection patterns related to Security Product Enumeration within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects security discovery commands and scripts. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for enumeration chains. |
| PowerShell | 4104 | Script block logging | Critical | Captures Defender / AV enumeration commands. |
| Sysmon | 22 | DNS query | Low | Sometimes scripts pull vendor metadata. |
| Sysmon | 11 | File create | Medium | Output files from recon scripts. |
| Security | 4663 | File access | Medium | Reads security product files or configs. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Defender queried | Get-MpComputerStatus | Critical | Common attacker recon step. |
| WMI AV query | root\SecurityCenter2 | Critical | Classic AV enumeration. |
| tasklist filtered for AV names | Process hunting | Critical | Strong recon clue. |
| Registry reads vendor keys | AV product detection | High | Valuable signal. |
| sc query security services | Service discovery | High | Product presence check. |
| Recon before evasion | Defender tampering follows | Critical | Strong sequence |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Get-MpComputerStatus |
| wmic.exe | AV WMI queries |
| tasklist.exe | Process enumeration |
| sc.exe | Service checks |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 11, 22
- PowerShell 4104
- Commands:
Get-MpComputerStatuswmic /namespace:\\root\SecurityCenter2tasklist
- Prefetch:
WMIC.EXETASKLIST.EXE
MITRE ATT&CK References
- T1518 Software Discovery
Decision Tree
-
Which method?
- WMI
- PowerShell
- tasklist
-
Which product targeted?
- Defender
- AV vendor
- EDR service
-
Follow-on action?
- AMSI bypass
- Defender tampering
- ETW tampering
-
Output stored?
- File
- Console
- Script variable
-
Expand:
- Parent process
- Recon chain
- User context
-
Scope:
- Single check
- Broad recon
- Framework fingerprint
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("Get-MpComputerStatus","SecurityCenter2","tasklist")
| project TimeGenerated, Computer, CommandLine
PowerShell
| where EventID == 4104
| where ScriptBlockText has "Get-MpComputerStatus"
| project TimeGenerated, Computer, ScriptBlockText
EQL
process where process.command_line like "*SecurityCenter2*" or process.command_line like "*Get-MpComputerStatus*"
sequence by host.name with maxspan=5m
[ process where process.name in ("wmic.exe","powershell.exe") ]
[ process where process.name in ("cmd.exe","powershell.exe") ]
Sigma
title: Security Product Enumeration Detection
id: 3e5b8d14-security-product-enum
status: experimental
description: Detects security product discovery activity
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
keywords:
CommandLine|contains:
- 'SecurityCenter2'
- 'Get-MpComputerStatus'
- 'tasklist'
condition: selection and keywords
fields:
- CommandLine
falsepositives:
- Legitimate admin checks
level: high
tags:
- attack.discovery
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on AV discovery commands | Strong recon signal | Critical | Low false positives |
| Preserve 4104 | Catch scripted checks | High | Strong evidence |
| Correlate with evasion next | High-confidence chain | Critical | Strong triage |
| Baseline admin tooling | Reduce noise | High | Useful context |
| Watch WMI AV namespace queries | Rare signal | High | Valuable detection |