SigmaHQ/rules/windows/powershell/powershell_downgrade_attack.yml

title: PowerShell Downgrade Attack
status: experimental
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1086
author: Florian Roth (rule), Lee Holmes (idea)
logsource:
    product: windows
    service: powershell-classic
detection:
    selection:
        EventID: 400
        EngineVersion: '2.*'
    filter:
        HostVersion: '2.*' 
    condition: selection and not filter
falsepositives:
    - Penetration Test
    - Unknown
level: medium
Rules: PowerShell Downgrade Attacks 2017-03-22 10:17:03 +00:00			`title: PowerShell Downgrade Attack`
			`status: experimental`
			`description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.execution`
			`- attack.t1086`
Rules: PowerShell Downgrade Attacks 2017-03-22 10:17:03 +00:00			`author: Florian Roth (rule), Lee Holmes (idea)`
			`logsource:`
			`product: windows`
			`service: powershell-classic`
			`detection:`
			`selection:`
			`EventID: 400`
			`EngineVersion: '2.*'`
			`filter:`
			`HostVersion: '2.*'`
			`condition: selection and not filter`
			`falsepositives:`
			`- Penetration Test`
			`- Unknown`
			`level: medium`