
Summary
The detection rule identifies potentially malicious PowerShell activity aimed at reconnaissance of installed antivirus products by monitoring PowerShell Script Block Logging events (EventCode 4104). It specifically looks for PowerShell scripts that include queries related to antivirus or antispyware products, leveraging keywords such as 'SELECT', 'WMIC', 'AntiVirusProduct', and 'AntiSpywareProduct'. Such queries are often indicative of adversarial tactics employed by malware and Advanced Persistent Threat (APT) actors to gather information about security measures in order to disable or bypass them during an attack. The rule is designed to provide insights into suspicious command executions that may pose a security risk, allowing security teams to respond proactively to mitigate the potential impact of these activities.
Categories
- Endpoint
Data Sources
- Pod
- Container
- User Account
ATT&CK Techniques
- T1592
Created: 2024-11-13