From b129f09feeceac67a97a9bc90eb86c4ec0b5e2af Mon Sep 17 00:00:00 2001
From: Harish SEGAR <segharish@gmail.com>
Date: Fri, 20 Mar 2020 21:48:19 +0100
Subject: [PATCH] Improvement detection on downgrade of powershell

---
 .../powershell_downgrade_attack.yml           | 39 ++++++++++++++++---
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml
index b136b1566..f8834a1d3 100644
--- a/rules/windows/powershell/powershell_downgrade_attack.yml
+++ b/rules/windows/powershell/powershell_downgrade_attack.yml
@@ -10,17 +10,44 @@ tags:
     - attack.t1086
 author: Florian Roth (rule), Lee Holmes (idea)
 date: 2017/03/22
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: medium
+---
 logsource:
     product: windows
     service: powershell-classic
 detection:
     selection:
         EventID: 400
-        EngineVersion: '2.*'
+        EngineVersion: "2.*"
     filter:
-        HostVersion: '2.*'
+        HostVersion: "2.*"
     condition: selection and not filter
-falsepositives:
-    - Penetration Test
-    - Unknown
-level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine:
+            - "*-v* 2"
+            - "*-V* 2"
+    filter:
+        Image|endswith: '\powershell.exe'
+    condition: selection and filter
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4688
+        CommandLine:
+            - "*-v* 2"
+            - "*-V* 2"
+    filter:
+        Image|endswith: '\powershell.exe'
+    condition: selection and filter