Adversaries may downgrade to PowerShell v2 to exploit deprecated features or bypass modern security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics that leverage older, less secure PowerShell versions.
KQL Query
DeviceImageLoadEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
and FileName in~ ('system.management.automation.ni.dll','System.Management.Automation.dll')
and FolderPath matches regex @"[12]\.(\d)+\.(\d)+\.(\d)+"
id: 70c41ff4-b95a-43a3-8fb5-794ed69be100
name: Detect PowerShell v2 Downgrade
description: |
This query looks for processes that load an older version of the system.management.automation libraries. While not inherently malicious, downgrading to PowerShell version 2
can enable an attacker to bypass some of the protections afforded by modern PowerShell. It is worth noting that some tools and scripts perform this to enable
backwards compatibility, so the technique is not inherently malicious. You will likely need to filter the processes within your environment that legitimately use this
capability for this to be effective.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceImageLoadEvents
tactics:
- Execution
query: |
DeviceImageLoadEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
and FileName in~ ('system.management.automation.ni.dll','System.Management.Automation.dll')
and FolderPath matches regex @"[12]\.(\d)+\.(\d)+\.(\d)+"
| Sentinel Table | Notes |
|---|---|
DeviceImageLoadEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Running PowerShell v2 Script
Description: A legitimate scheduled job is configured to run a script that requires PowerShell v2 compatibility.
Filter/Exclusion: process.parent_process_name:"schtasks.exe" or process.command_line:"-File" with known safe scripts.
Scenario: System Management Tools Using PowerShell v2
Description: Tools like System Center Configuration Manager (SCCM) or Microsoft Deployment Toolkit (MDT) may use PowerShell v2 for compatibility with older systems.
Filter/Exclusion: process.name:"powershell.exe" and process.parent_process_name:"msiexec.exe" or process.parent_process_name:"ccmexec.exe".
Scenario: Admin Task Running PowerShell v2 for Compatibility
Description: An administrator runs a PowerShell v2 script to maintain compatibility with legacy applications or systems.
Filter/Exclusion: process.user:"Administrator" and process.command_line:"-Command" with known administrative scripts.
Scenario: PowerShell v2 Used for Legacy Reporting Tools
Description: A reporting tool like SQL Server Reporting Services (SSRS) or Power BI may use PowerShell v2 for legacy integration.
Filter/Exclusion: process.name:"powershell.exe" and process.parent_process_name:"sqlservr.exe" or process.parent_process_name:"reportingservices.exe".
Scenario: PowerShell v2 Used in a Legacy Automation Framework
Description: An enterprise may use a legacy automation framework (e.g., Orchestrator, Service Manager) that relies on PowerShell v2.
Filter/Exclusion: process.name:"powershell.exe" and process.parent_process_name:"Orchestrator.exe" or process.parent_process_name:"SystemCenter.exe".