Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This query looks for processes that load an older version of the system.management.automation libraries. While not inherently malicious, downgrading to PowerShell version 2 can enable an attacker to bypass some of the protections afforded by modern PowerShell. It is worth noting that some tools and scripts perform this to enable backwards compatibility, so the technique is not inherently malicious. You will likely need to filter the processes within your environment that legitimately use this ca
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 70c41ff4-b95a-43a3-8fb5-794ed69be100 |
| Tactics | Execution |
| Required Connectors | MicrosoftThreatProtection |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Execution/Detect%20PowerShell%20v2%20Downgrade.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊