Detects command execution and arguments associated with disabling or modification of security software processes or services. PowerShell Downgrade attack is a downgrade to an older versions of PowerShell that doesn’t contain security controls such as AMSI protection
Example:
PowerShell –Version 2 –Command <…>
Related
N/A
Reference:
https://github.com/SigmaHQ/sigma/blob/6eaba7e37ebb17541991c99a764ccb6866696bc6/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml
https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/
{{ mitre("T1562.001")}}
Data Source(s): Command
let selection_CommandLine = dynamic([' -version 2 ',' -versio 2 ',' -versi 2 ', ' -vers 2 ', ' -ver 2 ', ' -ve 2 ', ' -v 2 ']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath endswith "\\powershell.exe" and ProcessCommandLine has_any (selection_CommandLine)
| where InitiatingProcessFolderPath !endswith "\\microsoft monitoring agent\\agent\\monitoringhost.exe" //Microsoft Monitoring Agent
//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine
- Inspect if the activity if it is expected and approved performed by an admin or a service
- Microsft monitoring agent
- This is a high fidelity threat hunt detection
Version 2.0 (date: 07/02/2024)