title: PowerShell Downgrade Attack
author: Harish Segar (rule)
date: 2020/03/20
description: Detects PowerShell downgrade attack by comparing the host versions with
  the actually used engine version 2.0
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '* -version 2 *'
    - '* -versio 2 *'
    - '* -versi 2 *'
    - '* -vers 2 *'
    - '* -ver 2 *'
    - '* -ve 2 *'
  SELECTION_3:
    Image: '*\powershell.exe'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Penetration Test
- Unknown
id: b3512211-c67e-4707-bedc-66efc7848863
level: medium
logsource:
  category: process_creation
  product: windows
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
related:
- id: 6331d09b-4785-4c13-980f-f96661356249
  type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
- attack.t1059.001
ruletype: SIGMA