PowerShell Downgrade Attack - PowerShell

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Sigma rule (View on GitHub)

 1title: PowerShell Downgrade Attack - PowerShell
 2id: 6331d09b-4785-4c13-980f-f96661356249
 3status: test
 4description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
 5references:
 6    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
 7author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
 8date: 2017-03-22
 9modified: 2023-10-27
10tags:
11    - attack.defense-evasion
12    - attack.execution
13    - attack.t1059.001
14logsource:
15    product: windows
16    category: ps_classic_start
17detection:
18    selection:
19        Data|contains: 'EngineVersion=2.'
20    filter_main:
21        Data|contains: 'HostVersion=2.'
22    condition: selection and not filter_main
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top