Listen to this Post
Introduction:
Blindly applying evasion techniques against modern Endpoint Detection and Response (EDR) and antivirus solutions is inefficient and often fails. The key to successful offensive operations lies in first understanding the defensive surface—identifying which security products are installed, their operational state, and hidden services running on the target Windows system. This article explores a context-driven enumeration methodology using Windows’ native SecurityCenter2 WMI class and Service Control Manager (SCM) to map the defensive landscape, enabling attackers to make informed decisions and defenders to close visibility gaps.
Learning Objectives:
- Query SecurityCenter2 via PowerShell/WMI to enumerate installed security products and decode the productState field for real-time status.
- Perform deep service enumeration via SCM to detect hidden EDR components like Sense (Windows Defender Advanced Threat Protection) and WdNISvc.
- Build a custom enumeration tool and apply context-driven evasion strategies based on collected telemetry.
You Should Know:
1. Understanding SecurityCenter2 and productState
SecurityCenter2 is a WMI namespace (Root\SecurityCenter2) introduced in Windows Vista and later that provides information about security products registered with the Windows Security Center. The key class is AntiVirusProduct. Each product has a `productState` integer that encodes three pieces of information: the product’s definition update status, protection status, and signature freshness. For example, a `productState` value of 397568 (0x61100) typically indicates that real-time protection is enabled and definitions are up to date. Decoding this field allows an attacker to determine if the AV is actively monitoring or disabled.
To manually query SecurityCenter2:
Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object displayName, productState, instanceGuid
Or using PowerShell v3+:
Get-CimInstance -Namespace "Root/SecurityCenter2" -ClassName AntiVirusProduct
To decode productState programmatically, parse the hex value. The lower 16 bits (least significant) represent the definition status (0=up-to-date, 16=out-of-date), and the upper bits indicate real-time protection (enabled/disabled). A quick function:
function Decode-ProductState($state) {
$hex = [bash]::ToString($state, 16)
Write-Host "State: $state (0x$hex)"
$rtStatus = ($state -band 0x1000) -shr 12
Write-Host "Real-time protection: $(if($rtStatus -eq 1){'Enabled'}else{'Disabled'})"
}
- Enumerating Installed Security Products via WMI & Registry Fallback
While SecurityCenter2 works for most major vendors (Windows Defender, McAfee, Symantec, etc.), some EDR solutions deliberately avoid registering there to evade simple enumeration. To bridge this gap, you must also inspect the Service Control Manager and the registry. Start with a robust enumeration script that combines multiple sources:
Enumerate from SecurityCenter2
$sc2 = Get-CimInstance -Namespace "Root/SecurityCenter2" -ClassName AntiVirusProduct -ErrorAction SilentlyContinue
$sc2 | ForEach-Object { Write-Host "[bash] $_displayName - State: $_productState" }
Fallback: Check common registry paths
$regPaths = @(
"HKLM:\SOFTWARE\Microsoft\Windows Defender",
"HKLM:\SOFTWARE\Wow6432Node\Symantec",
"HKLM:\SOFTWARE\McAfee",
"HKLM:\SYSTEM\CurrentControlSet\Services"
)
foreach ($path in $regPaths) {
if (Test-Path $path) { Write-Host "[bash] Found: $path" }
}
This dual approach ensures that even if an EDR hides from SecurityCenter2, its service or registry artifacts can still be detected.
- Deep Dive into Service Control Manager for Hidden EDR Services
Many advanced EDRs run as kernel drivers or high-integrity services that do not appear in standard user-mode process lists. The Service Control Manager (SCM) maintains a database of all installed services, including hidden, protected, and even malicious ones. Using `sc.exe` or PowerShell’s Get-Service, you can enumerate all services and filter for known EDR service names.
Key EDR services to look for:
– `Sense` – Windows Defender Advanced Threat Protection (ATP) – telemetry and detection.
– `WdNISvc` – Windows Defender Network Inspection Service.
– `MsMpSvc` – Windows Defender Antivirus Service.
– `Sophos` variants (SophosEDM, SophosMCS).
– `CrowdStrike` (CSAgent, Falcon).
– `CarbonBlack` (CbDefense).
List all services with display name and status:
sc query state= all | findstr /i "SERVICE_NAME DISPLAY_NAME"
Or PowerShell:
Get-Service | Where-Object {$<em>.Status -eq 'Running' -and $</em>.StartType -eq 'Automatic'} | Select-Object Name, DisplayName, Status
To dig deeper, inspect service binary paths and start type:
Get-CimInstance -ClassName Win32_Service | Format-Table Name, State, StartMode, PathName
Look for suspicious paths (e.g., `C:\Program Files\EDR\` or unsigned binaries). This level of enumeration helps map the complete defensive layer, including kernel drivers listed under `HKLM\SYSTEM\CurrentControlSet\Services` with `Type = 1` (kernel driver).
- Analyzing Service States and Start Modes for Evasion Clues
The `productState` field from SecurityCenter2 is not the only indicator. Service start modes reveal whether security products start automatically with the system, on demand, or are disabled. If you find that `Sense` is set to `Disabled` or Manual, the EDR may be partially inactive. However, modern EDRs use multiple protection layers; even if a service is stopped, the kernel driver might remain active. Use the following to check service triggers (Windows 10+):
List all services with trigger-start information
Get-CimInstance -ClassName Win32_Service | ForEach-Object {
$triggers = Get-CimAssociatedInstance -InputObject $_ -ResultClassName Win32_ServiceSpecification
if ($triggers) { Write-Host "$($_.Name) has triggers" }
}
Additionally, check for running processes associated with EDRs:
Get-Process | Where-Object {$<em>.Company -like 'Microsoft' -or $</em>.Description -like 'antivirus' -or $_.Path -like 'EDR'}
Combining service enumeration with process and driver lists gives a near-complete picture.
- Building Your Own Windows Enumeration Tool (PowerShell Script)
Based on the post’s inspiration, here’s a compact, functional enumeration tool that outputs JSON for easy parsing. Save as Invoke-DefenseMap.ps1:
function Invoke-DefenseMap {
$results = @{}
SecurityCenter2
$results.SC2 = Get-CimInstance -Namespace "Root/SecurityCenter2" -ClassName AntiVirusProduct -ErrorAction SilentlyContinue | Select-Object displayName, productState, instanceGuid
Service enumeration - focus on security-related
$secServices = @('Sense', 'WdNISvc', 'MsMpSvc', 'CSAgent', 'cb', 'Sophos')
$results.Services = Get-Service | Where-Object {$secServices -contains $<em>.Name -or $</em>.DisplayName -match 'EDR|antivirus|security|protection'} | Select-Object Name, Status, StartType
Running processes with known vendors
$results.Processes = Get-Process | Where-Object {$_.Company -match 'CrowdStrike|Microsoft|Symantec|McAfee|Sophos|Carbon Black'} | Select-Object Name, Id, Path
Convert to JSON
return ($results | ConvertTo-Json -Depth 3)
}
Invoke-DefenseMap | Out-File -FilePath .\defense_map.json
This tool outputs a structured map of the defensive environment. Attackers can feed this JSON into a decision engine that selects evasion techniques (e.g., if `Sense` is running and `productState` indicates active, avoid memory injection and instead use living-off-the-land binaries).
6. Context-Driven Evasion Strategies Based on Enumeration Output
Once you have the defense map, tailor your evasion. Examples:
– If Windows Defender is active with real-time protection enabled → avoid known `amsi.dll` hooks; use PowerShell downgrade attacks or alternative scripting hosts like `cscript` or wmic.
– If CrowdStrike Falcon service is present → avoid direct syscalls; use indirect syscall via `ntdll.dll` unhooking or hardware breakpoint evasion.
– If no EDR is detected but Windows Defender is disabled → standard remote execution tools like `psexec` or `wmic` may work.
– If hidden services like Sense are running but not listed in SecurityCenter2 → the environment likely has advanced telemetry; avoid credential dumping via LSASS and instead use Kerberoasting or NTDS.dit extraction from volume shadow copies.
This decision tree replaces blind trial-and-error, reducing detection probability.
- Mitigations for Defenders: How to Hide and Harden
From a blue team perspective, the ability to enumerate security products via SecurityCenter2 is a privacy and security gap. Defenders can disable WMI access for unprivileged users via Group Policy (Restrict WMI namespaces) or use Windows Defender Application Control (WDAC) to block enumeration scripts. Additionally, modern EDRs should be configured to run as protected processes (PPL) and not register with SecurityCenter2 if possible. Use `sc.exe sdset` to harden service DACLs, preventing unauthorized users from querying service status. Example:
sc sdshow Sense Restrict enumeration to SYSTEM only sc sdset Sense D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
Regularly audit who can query WMI namespaces and services. Deploy Microsoft Defender for Endpoint’s tamper protection to block changes to `productState` or service start modes.
What Undercode Say:
- Key Takeaway 1: Blind evasion is obsolete. Mapping the defensive surface using SecurityCenter2 and SCM enumeration transforms offensive operations from guesswork to data-driven decision-making.
- Key Takeaway 2: Defenders must assume attackers will enumerate these artifacts. Hiding services or not registering with SecurityCenter2 is insufficient; implement layered controls like PPL, WDAC, and strict WMI permissions.
Analysis: The approach detailed by MUAAZ TALAAT MUHAMMED highlights a mature offensive mindset—understanding before acting. While SecurityCenter2 provides a quick overview, the real value lies in the SCM deep dive, as many EDRs (e.g., Microsoft Sense) are visible there even if they hide from WMI. This technique is not novel but is often overlooked by beginners. The provided PowerShell commands and custom tool enable both red teams to automate reconnaissance and blue teams to test their visibility. The industry trend is moving toward kernel-based EDRs that can mask their services from standard APIs, forcing attackers to use more invasive methods like direct syscalls or memory scanning. Nonetheless, the enumeration-first methodology remains a cornerstone of modern adversarial tradecraft.
Prediction:
As EDR vendors increasingly adopt kernel callbacks and obfuscated service names, traditional WMI and SCM enumeration will become less reliable. Within 12–18 months, we will see a shift toward memory-based evasion mapping—using direct syscalls to query undocumented kernel structures (e.g., the `KPRCB` for loaded callbacks) and ETW event provider enumeration. This will trigger an arms race where defenders implement integrity monitoring for WMI and service databases, while attackers develop tooling that bypasses user-mode hooks entirely. The future of context-driven evasion lies in hypervisor-based introspection and AI-driven decision engines that adapt in real time to the detected defensive surface.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Muaaztalaat Blind – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
