LoFP / legitimate administration scripts

Techniques

Sample rules

PowerShell Hotfix Enumeration

• source: sigma
• technicques:

Description

Detects call to “Win32_QuickFixEngineering” in order to enumerate installed hotfixes often used in “enum” scripts by attackers

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - Win32_QuickFixEngineering
  - HotFixID