SigmaHQ/rules/windows/powershell/powershell_downgrade_attack.yml

action: global
title: PowerShell Downgrade Attack
id: 6331d09b-4785-4c13-980f-f96661356249
status: experimental
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1086
author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
falsepositives:
    - Penetration Test
    - Unknown
level: medium
---
logsource:
    product: windows
    service: powershell-classic
detection:
    selection:
        EventID: 400
        EngineVersion|startswith: '2.'
    filter:
        HostVersion|startswith: '2.'
    condition: selection and not filter
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine:
            - '*-v* 2'
            - '*-V* 2'
        Image|endswith: '\powershell.exe'
    condition: selection
---
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        CommandLine:
            - '*-v* 2'
            - '*-V* 2'
        Image|endswith: '\powershell.exe'
    condition: selection
Added missing action field 2020-03-20 21:46:19 +00:00			`action: global`
Rules: PowerShell Downgrade Attacks 2017-03-22 10:17:03 +00:00			`title: PowerShell Downgrade Attack`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 6331d09b-4785-4c13-980f-f96661356249`
Rules: PowerShell Downgrade Attacks 2017-03-22 10:17:03 +00:00			`status: experimental`
			`description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.execution`
			`- attack.t1086`
Fixed author field. 2020-03-20 21:49:07 +00:00			`author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/03/22`
Improvement detection on downgrade of powershell 2020-03-20 20:48:19 +00:00			`falsepositives:`
			`- Penetration Test`
			`- Unknown`
			`level: medium`
			`---`
Rules: PowerShell Downgrade Attacks 2017-03-22 10:17:03 +00:00			`logsource:`
			`product: windows`
			`service: powershell-classic`
			`detection:`
			`selection:`
			`EventID: 400`
Added conditions... 2020-03-20 21:33:14 +00:00			`EngineVersion\|startswith: '2.'`
Rules: PowerShell Downgrade Attacks 2017-03-22 10:17:03 +00:00			`filter:`
Added conditions... 2020-03-20 21:33:14 +00:00			`HostVersion\|startswith: '2.'`
Rules: PowerShell Downgrade Attacks 2017-03-22 10:17:03 +00:00			`condition: selection and not filter`
Improvement detection on downgrade of powershell 2020-03-20 20:48:19 +00:00			`---`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 1`
			`CommandLine:`
Usage of value modifiers... 2020-03-20 21:03:48 +00:00			`- '-v 2'`
			`- '-V 2'`
Improvement detection on downgrade of powershell 2020-03-20 20:48:19 +00:00			`Image\|endswith: '\powershell.exe'`
Usage of value modifiers... 2020-03-20 21:03:48 +00:00			`condition: selection`
Improvement detection on downgrade of powershell 2020-03-20 20:48:19 +00:00			`---`
			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 4688`
			`CommandLine:`
Usage of value modifiers... 2020-03-20 21:03:48 +00:00			`- '-v 2'`
			`- '-V 2'`
Improvement detection on downgrade of powershell 2020-03-20 20:48:19 +00:00			`Image\|endswith: '\powershell.exe'`
Usage of value modifiers... 2020-03-20 21:03:48 +00:00			`condition: selection`