This detection rule identifies PowerShell downgrade attacks by assessing discrepancies between the PowerShell engine version and the underlying host version. Specifically, the rule activates when the PowerShell engine version used is 2.0, while the host version, which is typically expected to be higher, is indicated as also being 2.0. If the engine version is 2.0, and the host version is not, it suggests an attempt to exploit older vulnerabilities that may exist in that version. The rationale for such attacks often revolves around bypassing security measures that are enforced in newer versions of PowerShell. This rule serves as a crucial preventative measure against execution tests that could allow attackers to leverage legacy vulnerabilities. The rule was inspired by the blog post "Detecting and Preventing PowerShell Downgrade Attacks" by Lee Holmes and includes contributions from Florian Roth and Harish Segar for additional improvements.