Detectionlowtest

Powershell Suspicious Win32_PnPEntity

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Mon Aug 23Updated Sun Dec 25b26647de-4feb-4283-af6b-6117661283c5windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: Win32_PnPEntity
    condition: selection

False Positives

Admin script

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

b26647de-4feb-4283-af6b-6117661283c5

Status

test

Level

low

Type

Detection

Created

Mon Aug 23

Modified

Sun Dec 25

Author

Path

rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml

Raw Tags

attack.discoveryattack.t1120