PowerShell Called from an Executable Version Mismatch

Detects PowerShell called from an executable by the version mismatch method

Sigma rule (View on GitHub)

 1title: PowerShell Called from an Executable Version Mismatch
 2id: c70e019b-1479-4b65-b0cc-cd0c6093a599
 3status: test
 4description: Detects PowerShell called from an executable by the version mismatch method
 5references:
 6    - https://adsecurity.org/?p=2921
 7author: Sean Metcalf (source), Florian Roth (Nextron Systems)
 8date: 2017-03-05
 9modified: 2023-10-27
10tags:
11    - attack.defense-evasion
12    - attack.execution
13    - attack.t1059.001
14logsource:
15    product: windows
16    category: ps_classic_start
17detection:
18    selection_engine:
19        Data|contains:
20            - 'EngineVersion=2.'
21            - 'EngineVersion=4.'
22            - 'EngineVersion=5.'
23    selection_host:
24        Data|contains: 'HostVersion=3.'
25    condition: all of selection_*
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top