sigmalowHunting

Powershell Suspicious Win32_PnPEntity

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

MITRE ATT&CK

T1120

discovery

Detection Query

selection:
  ScriptBlockText|contains: Win32_PnPEntity
condition: selection

Author

frack113

Created

2021-08-23

Data Sources

windowsps_script

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md

Tags

attack.discoveryattack.t1120

Raw Content

title: Powershell Suspicious Win32_PnPEntity
id: b26647de-4feb-4283-af6b-6117661283c5
status: test
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
author: frack113
date: 2021-08-23
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1120
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Win32_PnPEntity
    condition: selection
falsepositives:
    - Admin script
level: low