Detectionmediumtest

PowerShell Downgrade Attack - PowerShell

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), Lee Holmes, Harish Segar (improvements)Created Wed Mar 22Updated Fri Oct 276331d09b-4785-4c13-980f-f96661356249windows

Log Source

WindowsPowerShell Classic

ProductWindows← raw: windows

CategoryPowerShell Classic← raw: ps_classic_start

Detection Logic

detection:
    selection:
        Data|contains: 'EngineVersion=2.'
    filter_main:
        Data|contains: 'HostVersion=2.'
    condition: selection and not filter_main

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

leeholmes.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Rule Metadata

Rule ID

6331d09b-4785-4c13-980f-f96661356249

Status

test

Level

medium

Type

Detection

Created

Wed Mar 22

Modified

Fri Oct 27

Author

Florian Roth (Nextron Systems), Lee Holmes, Harish Segar (improvements)

Path

rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml

Raw Tags

attack.defense-evasionattack.executionattack.t1059.001

View on GitHub