PowerShell Downgrade Attack - PowerShell

Oct 28, 2023 · attack.defense_evasion attack.execution attack.t1059.001 ·

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Sigma rule (View on GitHub)

 1title: PowerShell Downgrade Attack - PowerShell
 2id: 6331d09b-4785-4c13-980f-f96661356249
 3status: test
 4description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
 5references:
 6    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
 7author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
 8date: 2017/03/22
 9modified: 2023/10/27
10tags:
11    - attack.defense_evasion
12    - attack.execution
13    - attack.t1059.001
14logsource:
15    product: windows
16    category: ps_classic_start
17detection:
18    selection:
19        Data|contains: 'EngineVersion=2.'
20    filter_main:
21        Data|contains: 'HostVersion=2.'
22    condition: selection and not filter_main
23falsepositives:
24    - Unknown
25level: medium

References

https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/

Read More

PowerShell Downgrade Attack - PowerShell

Sigma rule (View on GitHub)

References

https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/

Related rules