CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
83d891b2faaa8fa0be012c34b200950d20a3f307
hayabusa/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

32 lines
850 B
YAML
Raw Blame History

title: PowerShell Downgrade Attack
ruletype: Sigma
author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
description: Detects PowerShell downgrade attack by comparing the host versions with
the actually used engine version 2.0
detection:
SELECTION_1:
EngineVersion: 2.*
SELECTION_2:
HostVersion: 2.*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Penetration Test
- Unknown
id: 6331d09b-4785-4c13-980f-f96661356249
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086
Reference in New Issue View Git Blame Copy Permalink