From bbb10a51f42e844846c66ac33edce8a3bfc9015a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 28 Mar 2020 13:17:58 +0100
Subject: [PATCH] Update win_powershell_downgrade_attack.yml

---
 .../process_creation/win_powershell_downgrade_attack.yml  | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
index d33c74283..61acfd966 100644
--- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml
+++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
@@ -23,6 +23,12 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains: ' -version 2 '
+        CommandLine|contains: 
+            - ' -version 2 '
+            - ' -versio 2 '
+            - ' -versi 2 '
+            - ' -vers 2 '
+            - ' -ver 2 '
+            - ' -ve 2 '        
         Image|endswith: '\powershell.exe'
     condition: selection