← Back to ATT&CK index
T1518.001sub-technique
Security Software Discovery
View on attack.mitre.org →4 syscalls implement this technique
- NtGetCachedSigningLevel
Reads the Code Integrity cached signing-level result stored as an NTFS extended attribute on a file.
- NtQueryInformationByName
Queries file information by path without an open handle, introduced in Windows 10 RS5.
- NtOpenDirectoryObject
Opens an existing directory object in the Windows object manager namespace.
- NtQueryDirectoryObject
Enumerates the entries (name + type) inside an object-manager directory.