Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0016: Security Software Discovery Across Platforms

This detection strategy is tied to adversary discovery of security tools and monitoring agents. The business significance is that this behavior often prece...

EnterpriseDET0016Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to adversary discovery of security tools and monitoring agents. The business significance is that this behavior often precedes decisions about evasion, tool deployment, or whether to continue an intrusion. For leaders, it is a readiness question: can the SOC see when hosts or cloud environments are being queried for defensive software, and can incident responders use that signal early enough to change containment decisions?

Executive priority

Prioritize this as an early-warning discovery use case rather than a standalone proof of compromise. Because the related ATT&CK technique applies across IaaS, Linux, macOS, and Windows, organizations should ask whether endpoint and cloud telemetry can support consistent investigation of security-software enumeration. This is relevant to operational resilience, audit evidence for monitoring coverage, and security program validation because gaps may hide adversary preparation for evasion or selective infection.

Technical view

MITRE provides this object as detection strategy DET0016, but no official detection text or platform list is supplied for the strategy itself. The relationship context shows it detects T1518.001, Security Software Discovery, under the Discovery tactic, with related platforms of IaaS, Linux, macOS, and Windows. SOC and detection engineering teams should validate whether they can identify processes, scripts, commands, API activity, or configuration queries that enumerate anti-virus, monitoring agents, cloud monitoring agents, defensive tools, sensors, or security configurations. Treat findings as context-rich discovery signals that require correlation with surrounding execution, privilege, persistence, or cloud activity.

Likely telemetry

  • Endpoint process creation and command-line telemetry
  • Script execution telemetry on Windows, Linux, and macOS where available
  • Endpoint security product status or tamper-related logs
  • Cloud audit logs for IaaS inventory, agent, monitoring, or configuration queries
  • System configuration, package, service, and running-process inventory data

Detection direction

  • Validate coverage against the related technique T1518.001 rather than relying on DET0016 alone, because no official detection logic is supplied for this detection-strategy object.
  • Look for enumeration of installed security software, defensive tools, sensors, cloud monitoring agents, and security configurations across supported related environments: IaaS, Linux, macOS, and Windows.
  • Tune detections around context: administrative software inventory, IT support, compliance scans, and endpoint management tools may create legitimate activity that resembles discovery.
  • Correlate security-software discovery with unusual user context, rare parent processes, new hosts, unexpected cloud principals, or nearby suspicious activity to reduce false positives.
  • Check blind spots where command-line logging, script logging, endpoint inventory, EDR health, or cloud audit logs are missing or inconsistently retained.

Mitigation priorities

  • Ensure endpoint and cloud logging can record the evidence needed to investigate security-software and monitoring-agent enumeration.
  • Restrict and monitor administrative privileges that allow broad inspection of installed software, services, agents, and cloud monitoring configurations.
  • Maintain reliable inventory of approved security tools and sensors so suspicious discovery can be compared against expected management activity.
  • Harden sensor health monitoring and alert on unexpected gaps, disabled agents, or changes to defensive tooling visibility.
  • Use incident response playbooks that treat this behavior as a potential precursor to evasion or follow-on intrusion activity, requiring scoped investigation rather than automatic escalation by itself.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no platforms specified on the object itself. The practical content comes from its relationship to T1518.001, Security Software Discovery, which is a Discovery technique covering IaaS, Linux, macOS, and Windows. Local baselining is essential because legitimate administration, asset inventory, and compliance tooling may perform similar enumeration.

This take is constrained to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, actor attribution, guaranteed detection coverage, or specific detection logic. Organizations must validate telemetry availability, normal administrative behavior, and control effectiveness in their own environment.

Official MITRE ATT&CK definition

Security Software Discovery Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1518.001 Security Software Discovery Sub-technique This object detects Security Software Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1518.001: Security Software Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
94fffb7994605770...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 94fffb799460…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0016
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use