sigmahighHunting

PowerShell Called from an Executable Version Mismatch

Detects PowerShell called from an executable by the version mismatch method

MITRE ATT&CK

defense-evasionexecution

Detection Query

selection_engine:
  Data|contains:
    - EngineVersion=2.
    - EngineVersion=4.
    - EngineVersion=5.
selection_host:
  Data|contains: HostVersion=3.
condition: all of selection_*

Author

Sean Metcalf (source), Florian Roth (Nextron Systems)

Created

2017-03-05

Data Sources

windowsps_classic_start

Platforms

windows

References

https://adsecurity.org/?p=2921

Tags

attack.defense-evasionattack.executionattack.t1059.001

Raw Content

title: PowerShell Called from an Executable Version Mismatch
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
status: test
description: Detects PowerShell called from an executable by the version mismatch method
references:
    - https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-10-27
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection_engine:
        Data|contains:
            - 'EngineVersion=2.'
            - 'EngineVersion=4.'
            - 'EngineVersion=5.'
    selection_host:
        Data|contains: 'HostVersion=3.'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high