Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
27 lines (26 sloc) 663 Bytes
title: PowerShell called from an Executable Version Mismatch
status: experimental
description: Detects PowerShell called from an executable by the version mismatch method
references:
- https://adsecurity.org/?p=2921
tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell-classic
detection:
selection1:
EventID: 400
EngineVersion:
- '2.*'
- '4.*'
- '5.*'
HostVersion: '3.*'
condition: selection1
falsepositives:
- Penetration Tests
- Unknown
level: high