├── README.md
└── Invoke-EnumSecurityTools.ps1


/README.md:
--------------------------------------------------------------------------------
1 | # Invoke-EnumSecurityTools
2 | 
3 | Grabs a list of services on the system and compares the service name to known service names of security tools such as AV and EDR. Outputs a list of identified tools and their status. 
4 | 


--------------------------------------------------------------------------------
/Invoke-EnumSecurityTools.ps1:
--------------------------------------------------------------------------------
  1 | function Invoke-EnumSecurityTools {
  2 | 
  3 |       <#
  4 |       .SYNOPSIS
  5 |         Enumerates any security tools running on the system.
  6 |         Author:  Chris Myers (@swizzlez_)
  7 | 
  8 |       .DESCRIPTION
  9 |         Grabs a list of services on the system and compares the service name to kown service
 10 |         names of security tools such as AV and EDR. Outputs a list of identified tools and
 11 |         their status. 
 12 |             
 13 |       .EXAMPLE
 14 |         PS>Import-Module .\Invoke-EnumSecurityTools.ps1
 15 |         PS>Invoke-EnumSecurityTools
 16 |             Enumerating Security Tools...
 17 | 
 18 |             Security_Tool                                Status
 19 |             -------------                                ------
 20 |             Windows Defender Network Inspection Service Stopped
 21 |             Windows Defender                            Running
 22 |       #>
 23 | 
 24 | 	$av_list = @{
 25 | 		"symantec antivirus"		= "Symantec Endpoint Protection"
 26 | 		mcshield			= "McAfee Security"
 27 | 		windefend			= "Windows Defender"
 28 | 		msmpsvc				= "Microsoft Security Essentials"
 29 | 		msmpeng				= "Microsoft Security Essentials"
 30 | 		savservice			= "Sophos Antivirus"
 31 | 		aveservice			= "Avast!"
 32 | 		"avast! antivirus"		= "Avast!"
 33 | 		immunetprotect			= "Immunet Protect"
 34 | 		fsma				= "F-Secure"
 35 | 		antivirservice			= "AntiVir"
 36 | 		avguard				= "Avira"
 37 | 		fpavserver			= "F-Protect"
 38 | 		pshost				= "Panda Security"
 39 | 		pavsrv				= "Panda AntiVirus"
 40 | 		bdss				= "BitDefender"
 41 | 		abmainsv			= "ArcaBit/ArcaVir"
 42 | 		"ikarus-guardx"			= "IKARUS"
 43 | 		ekrn				= "ESET Smart Security"
 44 | 		avkproxy			= "G Data Antivirus"
 45 | 		klblmain			= "Kaspersky Lab Antivirus"
 46 | 		vbservprof			= "Symantec VirusBlast"
 47 | 		clamav				= "ClamAV"
 48 | 		EMET_Service			= "Microsoft EMET"
 49 | 		Sense				= "Windows Defender Advanced Threat Protection Service"
 50 | 		WdNisSvc			= "Windows Defender Network Inspection Service"
 51 | 		"Parity Agent"			= "Bit 9 Parity Application Whitelisting"
 52 | 		parity				= "Bit 9 Parity Application Whitelisting"
 53 | 		csagent				= "CrowdStrike Falcon EDR Agent"
 54 | 		WRSA				= "WebRoot AV"
 55 | 		TMCCSF				= "Trend Micro AV"
 56 | 		mbae				= "MalwareBytes Anti-Exploit"
 57 | 		cb				= "Carbon Black Behavioral Analysis"
 58 | 		"bds-vision"			= "BDS Vision behavioral analysis"
 59 | 		Triumfant			= "Triumfant behavioral analysis"
 60 | 		ossec				= "OSSEC intrusion detection"
 61 | 		TmPfw				= "Trend Micro firewall"
 62 | 	}
 63 | 
 64 | 
 65 |     Write-Output "Enumerating Security Tools..."
 66 |     $objParams = @{
 67 |         "Security_Tool"="Tool Name"
 68 |         "Status"="Status"
 69 |     }
 70 |     $toolObj = New-Object -TypeName PSObject -Property $objParams
 71 |     Get-Service | ForEach-Object { 
 72 |             if ($av_list.ContainsKey($_.Name)) { 
 73 |                 $toolObj.Security_Tool = $av_list[$_.Name]
 74 |                 $toolObj.Status = $_.Status 
 75 |                 Write-Output $toolObj
 76 |             } 
 77 |         }
 78 | 
 79 |     # Enumerating SecurityCenter AntiVirusProduct Registrations
 80 |     Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | ForEach-Object {
 81 |       if ($_.displayName) {
 82 |         $toolObj.Security_Tool = $_.displayName
 83 |         $toolObj.Status = "SecurityCenter (AntiVirus)"
 84 |         Write-Output $toolObj        
 85 |       }
 86 |     }
 87 |     # Enumerating SecurityCenter AntiSpywareProduct Registrations
 88 |     Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiSpywareProduct | ForEach-Object {
 89 |       if ($_.displayName) {
 90 |         $toolObj.Security_Tool = $_.displayName
 91 |         $toolObj.Status = "SecurityCenter (AntiSpyware)"
 92 |         Write-Output $toolObj        
 93 |       }
 94 |     }
 95 |     # Enumerating SecurityCenter FirewallProduct Registrations
 96 |     Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct | ForEach-Object {
 97 |       if ($_.displayName) {
 98 |         $toolObj.Security_Tool = $_.displayName
 99 |         $toolObj.Status = "SecurityCenter (Firewall)"
100 |         Write-Output $toolObj        
101 |       }
102 |     }
103 | }
104 | 


--------------------------------------------------------------------------------