Potential AV Reconnaissance Via Powershell

Rule Info

Name
Potential AV Reconnaissance Via Powershell
Author
X__Junior, Swachchhanda Shrawan Poudel
Description
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance. Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system, plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture. This technique is commonly used in the initial reconnaissance phase of an attack.
Reference
https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt
Date
2025-02-27 00:00:00
Modified
2025-03-17 00:00:00
Id
9e56c53b-9332-44a2-b3dc-13e25c0f6690
Tags
attack.defense-evasion attack.discovery attack.t1082
Type
Nextron Sigma feed only (private)
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022