SigmaHQ/rules/windows/powershell/powershell_downgrade_attack.yml

25 lines
703 B
YAML

title: PowerShell Downgrade Attack
status: experimental
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
author: Florian Roth (rule), Lee Holmes (idea)
logsource:
product: windows
service: powershell-classic
detection:
selection:
EventID: 400
EngineVersion: '2.*'
filter:
HostVersion: '2.*'
condition: selection and not filter
falsepositives:
- Penetration Test
- Unknown
level: medium