MITRE ATT&CK Technique
Description
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. ### Windows Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. ### Mac It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:51.330Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to get a listing of security '
'software, configurations, defensive tools, and sensors that '
'are installed on the system. This may include things such as '
'local firewall rules and anti-virus. Adversaries may use the '
'information from [Security Software '
'Discovery](https://attack.mitre.org/techniques/T1063) during '
'automated discovery to shape follow-on behaviors, including '
'whether or not the adversary fully infects the target and/or '
'attempts specific actions.\n'
'\n'
'\n'
'### Windows\n'
'\n'
'Example commands that can be used to obtain security software '
'information are '
'[netsh](https://attack.mitre.org/software/S0108), <code>reg '
'query</code> with '
'[Reg](https://attack.mitre.org/software/S0075), '
'<code>dir</code> with '
'[cmd](https://attack.mitre.org/software/S0106), and '
'[Tasklist](https://attack.mitre.org/software/S0057), but '
'other indicators of discovery behavior may be more specific '
'to the type of software or security system the adversary is '
'looking for.\n'
'\n'
'### Mac\n'
'\n'
"It's becoming more common to see macOS malware perform checks "
'for LittleSnitch and KnockKnock software.',
'external_references': [{'external_id': 'T1063',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1063'}],
'id': 'attack-pattern--241814ae-de3f-4656-b49e-f9a80764d4b7',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:48:31.974Z',
'name': 'Security Software Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS', 'Windows'],
'x_mitre_version': '2.2'}