rules/windows/powershell/powershell_exe_calling_ps.yml

title: PowerShell Called from an Executable Version Mismatch
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
status: experimental
description: Detects PowerShell called from an executable by the version mismatch method
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
    product: windows
    service: powershell-classic
    definition: fields have to be extract from event
detection:
    selection1:
        EventID: 400
        EngineVersion|startswith:
            - '2.'
            - '4.'
            - '5.'
        HostVersion|startswith: '3.'
    condition: selection1
falsepositives:
    - Penetration Tests
    - Unknown
level: high
fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00			`title: PowerShell Called from an Executable Version Mismatch`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: c70e019b-1479-4b65-b0cc-cd0c6093a599`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`status: experimental`
			`description: Detects PowerShell called from an executable by the version mismatch method`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://adsecurity.org/?p=2921`
Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00			`tags:`
			`- attack.defense_evasion`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 # an old one`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`author: Sean Metcalf (source), Florian Roth (rule)`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2017/03/05`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00			`product: windows`
Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:03 +01:00			`service: powershell-classic`
$frack113$ add definition to powershell-classic 2021-08-16 12:56:24 +02:00			`definition: fields have to be extract from event`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`detection:`
PowerShell Rules Revision 2017-03-05 14:14:31 +01:00			`selection1:`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`EventID: 400`
Update powershell_exe_calling_ps.yml 2020-10-15 17:09:47 -03:00			`EngineVersion\|startswith:`
			`- '2.'`
			`- '4.'`
			`- '5.'`
			`HostVersion\|startswith: '3.'`
PowerShell Rules Revision 2017-03-05 14:14:31 +01:00			`condition: selection1`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`falsepositives:`
Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:03 +01:00			`- Penetration Tests`
			`- Unknown`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`level: high`