← Library
sigmaDRL-1.1from SigmaHQ/sigma

PowerShell Called from an Executable Version Mismatch

Detects PowerShell called from an executable by the version mismatch method

Quality
84
FP risk
Forks
0
Views
0
ATT&CK techniques
T1059.001
Rule sourcerules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml
title: PowerShell Called from an Executable Version Mismatch
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
status: test
description: Detects PowerShell called from an executable by the version mismatch method
references:
    - https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-10-27
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection_engine:
        Data|contains:
            - 'EngineVersion=2.'
            - 'EngineVersion=4.'
            - 'EngineVersion=5.'
    selection_host:
        Data|contains: 'HostVersion=3.'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high