Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0995: Analytic 0995

Detection of processes launching downgraded PowerShell versions (e.g., v2) or other legacy binaries that lack logging or security features. Correlates command-line arguments, process metadata, and version fields. Monitors registry changes to Defender or HVCI keys that could indicate intentional downgrades.

EnterpriseAN0995AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because attackers or unsafe administrative activity can reduce Windows visibility by launching older PowerShell or legacy binaries that lack modern logging and security features, or by changing Defender and HVCI-related registry settings. For leaders, the decision value is whether the organization can prove that critical Windows endpoints still generate usable evidence when scripting or security-control downgrade attempts occur.

Executive priority

Prioritize this as a visibility and resilience control check for Windows environments. The key business question is not only whether PowerShell is allowed, but whether SOC and incident response teams can identify attempts to run downgraded versions or weaken security features before an investigation depends on missing logs. This supports audit evidence, incident readiness, endpoint hardening priorities, and budget decisions around Windows telemetry quality.

Technical view

Validate detection logic for Windows process launches where command-line arguments, process metadata, and version fields indicate downgraded PowerShell, such as version 2, or other legacy binaries with reduced logging or security capability. Also validate monitoring for registry changes affecting Microsoft Defender or HVCI keys that may indicate intentional downgrade activity. Because no ATT&CK tactic or relationship context is supplied, treat this as a defensive analytic focused on downgrade and visibility-loss behavior rather than tying it to a specific intrusion phase.

Likely telemetry

  • Windows process creation events with full command line
  • Process metadata, including image path, parent process, user, and process version fields where available
  • PowerShell execution telemetry sufficient to distinguish downgraded or legacy versions
  • Windows registry modification events for Defender-related keys
  • Windows registry modification events for HVCI-related keys

Detection direction

  • Confirm that command-line and process-version fields are actually collected and searchable on Windows endpoints; many environments collect process starts but not enough metadata to identify downgraded runtime versions.
  • Tune detections for explicit downgraded PowerShell invocation and legacy binary execution patterns while accounting for legitimate legacy administration or compatibility use cases.
  • Correlate suspicious process launches with Defender or HVCI registry changes to improve confidence and reduce noisy single-signal alerts.
  • Review false positives from approved maintenance, troubleshooting, older management scripts, or legacy application dependencies.
  • Measure coverage gaps on unmanaged endpoints, servers with reduced logging, and systems where registry auditing or EDR policy is incomplete.

Mitigation priorities

  • Establish policy for approved PowerShell versions and legacy binary usage on Windows systems.
  • Reduce or remove business dependency on downgraded PowerShell or legacy binaries where feasible.
  • Harden and monitor Defender and HVCI configuration so unauthorized registry changes are prevented or investigated.
  • Ensure endpoint logging captures process command line, process metadata, version details, and relevant registry changes.
  • Create incident response triage guidance for downgrade indicators, including checking whether security telemetry was impaired around the same time.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and provides a high-level description without official detection logic. The strongest use is as a validation prompt for SOC engineering: can the environment observe downgraded PowerShell or legacy binary launches and related Defender/HVCI registry changes with enough fidelity to support investigation?

No official detection content, tactics, aliases, labels, or relationship context were supplied. This take is limited to Windows behavior described in the official fields and should be adapted using local baseline data, approved administrative practices, endpoint tooling, and registry auditing coverage.

Official MITRE ATT&CK definition

Analytic 0995

Detection of processes launching downgraded PowerShell versions (e.g., v2) or other legacy binaries that lack logging or security features. Correlates command-line arguments, process metadata, and version fields. Monitors registry changes to Defender or HVCI keys that could indicate intentional downgrades.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
215996fc4464a59a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 215996fc4464…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0995
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use