Execution, Potential PowerShell Downgrade Attack
Powershell V2downgrade
Query
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "-v 2"
or ProcessCommandLine has "-v 2.0"
or ProcessCommandLine has "-version 2"
or ProcessCommandLine has "-versi 2"
or ProcessCommandLine has "-vers 2"
or ProcessCommandLine has "-ver 2"
or ProcessCommandLine has "-ve 2"
or ProcessCommandLine has "-ve 2"
or ProcessCommandLine has "-version 2.0"| where InitiatingProcessFileName != "MonitoringHost.exe"Explanation
This query is designed to detect potential PowerShell downgrade attacks by analyzing command line inputs. Here's a simplified summary:
- Target Events: It looks at events related to processes (
DeviceProcessEvents). - Specific Programs: It focuses on processes where the file name is either
powershell.exeorpowershell_ise.exe. - Command Line Indicators: It checks if the command line used to start these processes includes any of several variations indicating a request to use PowerShell version 2 (e.g.,
-v 2,-version 2.0, etc.). - Exclusion: It excludes events where the initiating process is
MonitoringHost.exe.
In essence, this query identifies instances where PowerShell is being run with commands that suggest a downgrade to version 2, which could be indicative of an attack, while ignoring legitimate monitoring processes.
