Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query looks for processes that load an older version of the system.management.automation libraries. While not inherently malicious, downgrading to PowerShell version 2 can enable an attacker to bypass some of the protections afforded by modern PowerShell. It is worth noting that some tools and scripts perform this to enable backwards compatibility, so the technique is not inherently malicious. You will likely need to filter the processes within your environment that legitimately use this ca
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 70c41ff4-b95a-43a3-8fb5-794ed69be100 |
| Tactics | Execution |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
DeviceImageLoadEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊