PowerShell Hotfix Enumeration
Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
Sigma rule (View on GitHub)
1title: PowerShell Hotfix Enumeration
2id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c
3status: test
4description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
5references:
6 - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-06-21
9tags:
10 - attack.discovery
11logsource:
12 product: windows
13 category: ps_script
14 definition: 'Requirements: Script Block Logging must be enabled'
15detection:
16 selection:
17 ScriptBlockText|contains|all:
18 - 'Win32_QuickFixEngineering'
19 - 'HotFixID'
20 condition: selection
21falsepositives:
22 - Legitimate administration scripts
23level: medium
References
-
JAWS - Just Another Windows (Enum) Script. Contribute to 411Hall/JAWS development by creating an account on GitHub.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- AD Privileged Users or Groups Reconnaissance