PowerShell Downgrade Attack - PowerShell

Apr 28, 2026 · attack.execution attack.t1059.001 ·

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Sigma rule (View on GitHub)

 1title: PowerShell Downgrade Attack - PowerShell
 2id: 6331d09b-4785-4c13-980f-f96661356249
 3status: test
 4description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
 5references:
 6    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
 7author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
 8date: 2017-03-22
 9modified: 2023-10-27
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    product: windows
15    category: ps_classic_start
16detection:
17    selection:
18        Data|contains: 'EngineVersion=2.'
19    filter_main:
20        Data|contains: 'HostVersion=2.'
21    condition: selection and not filter_main
22falsepositives:
23    - Unknown
24level: medium

References

http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/

Read More

PowerShell Downgrade Attack - PowerShell

Sigma rule (View on GitHub)

References

http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/

Related rules