Created the Monday 18 March 2019. Updated 3 years, 6 months ago.
Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.
title: Get antivirus details via WMIC query status: experimental description: Get antivirus details via WMIC query author: Joe Security date: 2020-03-27 id: 200069 threatname: behaviorgroup: 5 classification: 8 mitreattack: logsource: category: process_creation product: windows detection: selection: CommandLine: -'*wmic * path antivirusproduct get displayname*' condition: selection level: critical