title: PowerShell Downgrade Attack
author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
description: Detects PowerShell downgrade attack by comparing the host versions with
  the actually used engine version 2.0
detection:
  SELECTION_1:
    EngineVersion: 2.*
  SELECTION_2:
    HostVersion: 2.*
  condition: (SELECTION_1 and  not (SELECTION_2))
falsepositives:
- Penetration Test
- Unknown
id: 6331d09b-4785-4c13-980f-f96661356249
level: medium
logsource:
  category: ps_classic_start
  definition: fields have to be extract from event
  product: windows
modified: 2021/10/16
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086