PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Sigma rule (View on GitHub)
1title: PowerShell Called from an Executable Version Mismatch
2id: c70e019b-1479-4b65-b0cc-cd0c6093a599
3status: test
4description: Detects PowerShell called from an executable by the version mismatch method
5references:
6 - https://adsecurity.org/?p=2921
7author: Sean Metcalf (source), Florian Roth (Nextron Systems)
8date: 2017-03-05
9modified: 2023-10-27
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - attack.t1059.001
14logsource:
15 product: windows
16 category: ps_classic_start
17detection:
18 selection_engine:
19 Data|contains:
20 - 'EngineVersion=2.'
21 - 'EngineVersion=4.'
22 - 'EngineVersion=5.'
23 selection_host:
24 Data|contains: 'HostVersion=3.'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Detection of PowerShell Execution via Sqlps.exe
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent
- Greenbug Espionage Group Indicators