The PowerShell Downgrade detection rule identifies attempts by adversaries to execute older versions of PowerShell that lack modern security features, such as Script Block Logging (SBL), which is included in versions 5 and later. SBL enables the logging of executed script content, making it a significant barrier against malicious scripts. By executing a pre-7 version of PowerShell, adversaries aim to bypass security controls that would otherwise capture and log their actions. This rule utilizes a Splunk query to monitor endpoint data for PowerShell execution commands that specify version numbers from 1 to 6. If such commands are detected, the rule flags these events as potential indicators of malicious activity. The rule is tied to threat actor Earth Estries and references several execution techniques, including PowerShell and Windows Command Shell executions. The implementation is based on capturing events indicated by Event Code 4688, which relates to process creation, particularly for the `powershell.exe` process. This proactive monitoring serves to bolster defenses against sophisticated scripting attacks that leverage downgrades to compromise systems without detection.