title: PowerShell Called from an Executable Version Mismatch
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects PowerShell called from an executable by the version mismatch
    method
detection:
    SELECTION_1:
        EngineVersion: 2.*
    SELECTION_2:
        EngineVersion: 4.*
    SELECTION_3:
        EngineVersion: 5.*
    SELECTION_4:
        HostVersion: 3.*
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Penetration Tests
- Unknown
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
level: high
logsource:
    category: ps_classic_start
    definition: fields have to be extract from event
    product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_exe_calling_ps.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic