This detection rule identifies the usage of PowerShell scripts that invoke the Windows Management Instrumentation (WMI) class `Win32_QuickFixEngineering` to enumerate installed hotfixes on a Windows system. Attackers often use such enumeration techniques in their scripts to gather information about the target environment, particularly the applied security patches, which can be leveraged to identify vulnerabilities or devise further attack strategies. This rule targets scripts containing both the term `Win32_QuickFixEngineering` and the `HotFixID` to ensure that it captures relevant calls made within the PowerShell context. To function correctly, this rule requires that Script Block Logging is enabled on the target systems, which enables the monitoring of PowerShell activity. Potential false positives include legitimate administrative scripts utilized for system maintenance and patch management.