Recon Avproduct Through Pwh Or WMI

Recon Avproduct Through Pwh Or WMI

Description

The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.

   Help

Recon Avproduct Through Pwh Or WMI Help

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#ConfiguremoduleloggingforPowerShell.

   Search

Open in Search