PowerShell Enumeration of Security Products via WMI/CIM - Powershell

Rule Info

Name
PowerShell Enumeration of Security Products via WMI/CIM - Powershell
Author
Swachchhanda Shrawan Poudel
Description
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance. Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system, plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture. This technique is commonly used in the initial reconnaissance phase of an attack.
Reference
https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt
Date
2025-03-17 00:00:00
Modified
None
Id
eadc4a02-c213-4f8a-952c-ec836cc31d6b
Tags
attack.defense-evasion attack.discovery attack.t1082
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022