Hello community!
Currently, at a customer, we were asked if ServiceNow performs a downgrade of PowerShell, simply because the customer's security system detected the following command:
AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.1.22 Source=Microsoft-Windows-Security-Auditing Computer=Server01.domain.com OriginatingComputer=172.88.88.88 User= Domain= EventID=4688 EventIDCode=4688 EventType=8 EventCategory=13312 RecordNumber=482747076 TimeGenerated=1731033544 TimeWritten=1731033544 Level=Log Always Keywords=Audit Success Task=SE_ADT_DETAILEDTRACKING_PROCESSCREATION Opcode=Info Message=A new process has been created. Creator Subject: Security ID: DOMAIN\usermid Account Name: usermid Account Domain: DOMAIN Logon ID: 0x1CE1D3C2D5 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1310 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x700 Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
It indicated that this was a security flaw.
Regarding the machines hosting the MID Server, all are listed with PowerShell version 5.1.X in the PowerShell version field of the ecc_agent_list.
My understanding is that the MID Server would not downgrade PowerShell when executing commands and that this is due to the target operating system’s configuration. Is my understanding correct? How can I explain this to them?
Thank you in advance!
