Announcement

Collapse
No announcement yet.

List A/V's on a Windows Host with WMIC

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • List A/V's on a Windows Host with WMIC

    I've only tested this in the lab a few times, but it has been accurate every time as far as I am aware.


    wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct

  • #2
    And you can just replace "localhost" with a machine name, yeh?
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

    Comment


    • #3
      Correct! Machine ID, IP (or localhost if you are already on target). If you're going to use "/node" to query remote machines, you'll also need to specify "/user" (which will accept down-level logon name format)

      Comment


      • #4
        Powershell equivalent, if you prefer.

        Code:
        Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

        Comment


        • #5
          Thinking out loud: if you have PowerShell logging turned on and also use a SIEM, it would probably be good to cough up an alert if someone ever ran the query for installed AVs? (I'm thinking legit sysadmins/netadmins wouldn't normally be running this command)
          Brian Johnson
          7 Minute Security
          Podcaster | Security Consultant

          Comment


          • #6
            You are absolutely on point. Querying for AV through PowerShell or WMI is a signature to look out for in their respective logs - similar to alerting every time 'whoami' is run within a few seconds of a connection being established to a machine. Who legitimately does that?!

            Comment

            Working...
            X