AN0048: Analytic 0048
Adversary executes commands to enumerate installed antivirus, EDR, or firewall agents using WMI, registry queries, and built-in tools (e.g., tasklist, netsh, sc query). Correlated with elevated process privileges or scripting engine usage.
Analyst context for executives and security teams
This analytic describes Windows activity where an adversary checks what antivirus, EDR, or firewall tooling is installed, using common administrative interfaces and built-in utilities. For security leaders, the practical issue is not the inventory command by itself; it is what it can indicate when paired with elevated privileges or scripting activity: a threat actor may be assessing defenses before attempting evasion or follow-on actions.
Executive priority
Prioritize this as a control-validation and incident-triage question: can the organization reliably see when privileged users, scripts, or unusual processes enumerate endpoint security controls on Windows systems? This behavior matters for SOC readiness, incident response scoping, and audit evidence because it tests whether endpoint, process, registry, WMI, and firewall-related visibility are actually available and correlated—not just whether security tools are deployed.
Technical view
For Windows environments, validate detections for enumeration of installed antivirus, EDR, or firewall agents through WMI, registry queries, and built-in tools such as task listing, service queries, and firewall configuration inspection. The supplied ATT&CK object emphasizes correlation with elevated process privileges or scripting engine usage, so detection engineering should focus on context: parent/child process relationships, command-line arguments, privilege level, user identity, host role, and whether the activity originates from expected administration workflows.
Likely telemetry
- Windows process creation events with command-line details
- Parent and child process relationships
- User and privilege context, including elevated execution
- WMI activity or WMI command/process telemetry
- Windows registry query activity
Detection direction
- Correlate security-tool enumeration with elevated privileges, scripting engine usage, unusual parent processes, or non-administrative user context.
- Tune for legitimate IT administration, troubleshooting, software inventory, compliance scanning, and security operations workflows to reduce false positives.
- Validate that process command lines, WMI activity, registry access, and service/firewall query evidence are collected consistently across Windows endpoints.
- Review whether detection logic distinguishes broad system inventory from focused discovery of antivirus, EDR, or firewall agents.
- Use host criticality and account context to prioritize triage, especially on servers, privileged workstations, and systems involved in incident response.
Mitigation priorities
- Ensure least-privilege practices reduce unnecessary elevated command execution on Windows endpoints.
- Harden and monitor administrative scripting and remote management pathways used for WMI, registry, service, and firewall queries.
- Maintain endpoint logging coverage sufficient for process, command-line, registry, WMI, and privilege-context analysis.
- Document approved administrative inventory and troubleshooting procedures so the SOC can tune detections without suppressing suspicious activity.
- Periodically test whether managed detection, IR playbooks, and compliance evidence can show who enumerated security controls, from where, and under what privilege level.
Analyst notes and limits
No tactic, relationship context, or official detection logic was supplied. The strongest supported interpretation is defensive validation around Windows-based enumeration of security tooling, especially when correlated with privileged execution or scripting. Local baselines are essential because many of the referenced utilities and interfaces are also used by administrators and security teams.
This take is limited to the supplied ATT&CK analytic fields and the MITRE external reference. It does not establish active exploitation, attribution, impact, prevalence, or guaranteed detection coverage. No non-Windows platforms or related techniques are inferred.
Analytic 0048
Adversary executes commands to enumerate installed antivirus, EDR, or firewall agents using WMI, registry queries, and built-in tools (e.g., tasklist, netsh, sc query). Correlated with elevated process privileges or scripting engine usage.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 90d3f1cef158… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0048Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.