Recon Avproduct Through Pwh Or WMI

Recon Avproduct Through Pwh Or WMI


The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.


Recon Avproduct Through Pwh Or WMI Help

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here


Open in Search