This detection rule identifies potential PowerShell downgrade attacks by analyzing process creation events in Windows systems. Specifically, it looks for instances where the PowerShell executable (powershell.exe) is invoked with command-line options that specify a version downgrade to 2.0. The rule captures variations in the command line arguments that would indicate an attempt to force PowerShell to run under a significantly older and potentially vulnerable version. This action can be associated with evading security controls, as older versions of PowerShell may lack features and protections available in newer releases, potentially allowing malicious scripts to execute without detection. The rule utilizes the 'process_creation' log source and will trigger an alert when the specified criteria are met, allowing security teams to respond to these potential threats.