PowerShell Called from an Executable Version Mismatch

Apr 28, 2026 · attack.execution attack.t1059.001 ·

Detects PowerShell called from an executable by the version mismatch method

Sigma rule (View on GitHub)

 1title: PowerShell Called from an Executable Version Mismatch
 2id: c70e019b-1479-4b65-b0cc-cd0c6093a599
 3status: test
 4description: Detects PowerShell called from an executable by the version mismatch method
 5references:
 6    - https://adsecurity.org/?p=2921
 7author: Sean Metcalf (source), Florian Roth (Nextron Systems)
 8date: 2017-03-05
 9modified: 2023-10-27
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    product: windows
15    category: ps_classic_start
16detection:
17    selection_engine:
18        Data|contains:
19            - 'EngineVersion=2.'
20            - 'EngineVersion=4.'
21            - 'EngineVersion=5.'
22    selection_host:
23        Data|contains: 'HostVersion=3.'
24    condition: all of selection_*
25falsepositives:
26    - Unknown
27level: high

References

https://adsecurity.org/?p=2921

Read More

PowerShell Called from an Executable Version Mismatch

Sigma rule (View on GitHub)

References

https://adsecurity.org/?p=2921

Related rules