frack113
23 lines
719 B
YAML
23 lines
719 B
YAML
title: Powershell Suspicious Win32_PnPEntity
|
|
id: b26647de-4feb-4283-af6b-6117661283c5
|
|
status: experimental
|
|
author: frack113
|
|
date: 2021/08/23
|
|
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1120
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: EnableScriptBlockLogging must be set to enable
|
|
detection:
|
|
selection:
|
|
EventID: 4104
|
|
ScriptBlockText|contains: Win32_PnPEntity
|
|
condition: selection
|
|
falsepositives:
|
|
- admin script
|
|
level: low |