From e2d8de2be4669befc79a986969a923cea0fc7a5d Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Wed, 5 Mar 2025 12:57:52 +0000
Subject: [PATCH 1/2] Create wmi-get-antivirus.yml

Rule to detect querying installed anti-virus via WMI
---
 nursery/wmi-get-antivirus.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 nursery/wmi-get-antivirus.yml

diff --git a/nursery/wmi-get-antivirus.yml b/nursery/wmi-get-antivirus.yml
new file mode 100644
index 000000000..d8cc03547
--- /dev/null
+++ b/nursery/wmi-get-antivirus.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: wmi get antivirus
+    namespace: collection/anti-virus
+    authors:
+      - kevross33/Kevin Ross
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Discovery::Permission Groups Discovery [T1069]
+    examples:
+      - f5fca1b178af87bd48c7ea9e3f2c957b
+  features:
+    - and:
+      - string: /root\\securitycenter/i
+      - string: /antivirusproduct/i

From 34ea3f04d1a77c4afcc071e72439958bc3cd6542 Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Wed, 5 Mar 2025 12:59:00 +0000
Subject: [PATCH 2/2] Update wmi-get-antivirus.yml

---
 nursery/wmi-get-antivirus.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nursery/wmi-get-antivirus.yml b/nursery/wmi-get-antivirus.yml
index d8cc03547..9b1b16072 100644
--- a/nursery/wmi-get-antivirus.yml
+++ b/nursery/wmi-get-antivirus.yml
@@ -8,7 +8,7 @@ rule:
       static: function
       dynamic: span of calls
     att&ck:
-      - Discovery::Permission Groups Discovery [T1069]
+      - Discovery::Windows Management Instrumentation [T1047]
     examples:
       - f5fca1b178af87bd48c7ea9e3f2c957b
   features: