title: Powershell Suspicious Win32_PnPEntity  
id: b26647de-4feb-4283-af6b-6117661283c5
status: experimental
author: frack113
date: 2021/08/23
modified: 2021/10/16
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. 
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
tags:
    - attack.discovery
    - attack.t1120
logsource:
    product: windows
    category: ps_script
    definition: EnableScriptBlockLogging must be set to enable
detection:
    selection:
        ScriptBlockText|contains: Win32_PnPEntity
    condition: selection
falsepositives:
    - admin script
level: low