← Back to SOC feed Coverage →

powershell-version-2.0-execution

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
huntingmicrosoftofficialpowershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-20T23:00:01Z · Confidence: medium

Hunt Hypothesis

The detection of PowerShell Version 2.0 execution may indicate the presence of legacy scripts or adversarial activity aimed at evading script logging and AMSI. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromises and mitigate the risk of stealthy malware execution.

KQL Query

DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "-v 2"
   or ProcessCommandLine has "-v 2.0"
   or ProcessCommandLine has "-version 2"
   or ProcessCommandLine has "-version 2.0"

Analytic Rule Definition

id: 76e64c0d-b640-4724-8096-4c4cda0ec6e0
name: powershell-version-2.0-execution
description: |
  Find the execution of PowerShell Version 2.0, eather to discover legacy scripts using version 2 or to find attackers trying to hide from script logging and AMSI.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  DeviceProcessEvents
  | where FileName in~ ("powershell.exe", "powershell_ise.exe")
  | where ProcessCommandLine has "-v 2"
     or ProcessCommandLine has "-v 2.0"
     or ProcessCommandLine has "-version 2"
     or ProcessCommandLine has "-version 2.0"

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Execution/powershell-version-2.0-execution.yaml