PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Sigma rule (View on GitHub)
1title: PowerShell Called from an Executable Version Mismatch
2id: c70e019b-1479-4b65-b0cc-cd0c6093a599
3status: test
4description: Detects PowerShell called from an executable by the version mismatch method
5references:
6 - https://adsecurity.org/?p=2921
7author: Sean Metcalf (source), Florian Roth (Nextron Systems)
8date: 2017/03/05
9modified: 2023/10/27
10tags:
11 - attack.defense_evasion
12 - attack.execution
13 - attack.t1059.001
14logsource:
15 product: windows
16 category: ps_classic_start
17detection:
18 selection_engine:
19 Data|contains:
20 - 'EngineVersion=2.'
21 - 'EngineVersion=4.'
22 - 'EngineVersion=5.'
23 selection_host:
24 Data|contains: 'HostVersion=3.'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: high
References
-
This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current inform...
Read More
Related rules
- PowerShell Downgrade Attack - PowerShell
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- HackTool - CrackMapExec PowerShell Obfuscation
- Invoke-Obfuscation CLIP+ Launcher - Security
- Invoke-Obfuscation COMPRESS OBFUSCATION