Query Details
Powershell V2downgrade
Query
name: Execution, Potential PowerShell Downgrade Attack
description: Detects PowerShell downgrade attack through commandline analysis
references: https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_downgrade_attack
tags: Execution, T1059.001
search_query:
(DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "-v 2"
or ProcessCommandLine has "-v 2.0"
or ProcessCommandLine has "-version 2"
or ProcessCommandLine has "-versi 2"
or ProcessCommandLine has "-vers 2"
or ProcessCommandLine has "-ver 2"
or ProcessCommandLine has "-ve 2"
or ProcessCommandLine has "-ve 2"
or ProcessCommandLine has "-version 2.0"| where InitiatingProcessFileName != "MonitoringHost.exe")
Explanation
This query is designed to detect potential PowerShell downgrade attacks by analyzing command line inputs. Here's a simplified summary:
- Target Events: It looks at events related to processes (
DeviceProcessEvents). - Specific Programs: It focuses on processes where the file name is either
powershell.exeorpowershell_ise.exe. - Command Line Indicators: It checks if the command line used to start these processes includes any of several variations indicating a request to use PowerShell version 2 (e.g.,
-v 2,-version 2.0, etc.). - Exclusion: It excludes events where the initiating process is
MonitoringHost.exe.
In essence, this query identifies instances where PowerShell is being run with commands that suggest a downgrade to version 2, which could be indicative of an attack, while ignoring legitimate monitoring processes.
Details
Ali Hussein
Released: January 22, 2024
Tables
DeviceProcessEvents
Keywords
Devices
Operators
in~|has!=