T1562.001 Impair Defenses Disable or Modify Tools Potential PowerShell Downgrade Attack

T1562.001 - Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack

DESCRIPTION

Detects command execution and arguments associated with disabling or modification of security software processes or services. PowerShell Downgrade attack is a downgrade to an older versions of PowerShell that doesn’t contain security controls such as AMSI protection

Example:

PowerShell –Version 2 –Command \<…>

Related

N/A

Reference:

https://github.com/SigmaHQ/sigma/blob/6eaba7e37ebb17541991c99a764ccb6866696bc6/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml
https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/

ATT&CK TACTICS

T1562.001 - Impair Defenses: Disable or Modify Tools

Data Source(s): Command

SENTINEL RULE QUERY

let selection_CommandLine = dynamic([' -version 2 ',' -versio 2 ',' -versi 2 ', ' -vers 2 ', ' -ver 2 ', ' -ve 2 ', ' -v 2 ']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath endswith "\\powershell.exe" and ProcessCommandLine has_any (selection_CommandLine)
| where InitiatingProcessFolderPath !endswith "\\microsoft monitoring agent\\agent\\monitoringhost.exe" //Microsoft Monitoring Agent
//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine

Triage

1. Inspect if the activity if it is expected and approved performed by an admin or a service

FalsePositive

1. Microsft monitoring agent
2. This is a high fidelity threat hunt detection

VERSION

Version 2.0 (date: 07/02/2024)