Change PowerShell Policies to an Insecure Level - PowerShell
Detects use of Set-ExecutionPolicy to set insecure policies
Sigma rule (View on GitHub)
1title: Change PowerShell Policies to an Insecure Level - PowerShell
2id: 61d0475c-173f-4844-86f7-f3eebae1c66b
3related:
4 - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
5 type: similar
6 - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
7 type: similar
8 - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
9 type: similar
10status: test
11description: Detects use of Set-ExecutionPolicy to set insecure policies
12references:
13 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
14 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
15 - https://adsecurity.org/?p=2604
16author: frack113
17date: 2021/10/20
18modified: 2022/12/30
19tags:
20 - attack.execution
21 - attack.t1059.001
22logsource:
23 product: windows
24 category: ps_script
25 definition: 'Requirements: Script Block Logging must be enabled'
26detection:
27 cmdlet:
28 ScriptBlockText|contains: 'Set-ExecutionPolicy'
29 option:
30 ScriptBlockText|contains:
31 - 'Unrestricted'
32 - 'bypass'
33 - 'RemoteSigned'
34 filter:
35 # - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' Powershell event id 4104 do not have ParentImage
36 ScriptBlockText|contains:
37 - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
38 - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
39 - '\AppData\Roaming\Code\'
40 condition: cmdlet and option and not filter
41falsepositives:
42 - Administrator script
43level: medium
References
-
The Set-ExecutionPolicy cmdlet changes PowerShell execution policies for Windows computers. For more information, see about_Execution_Policies. Beginning in PowerShell 6.0 for non-Windows computers, the default execution policy is Unrestricted and can't be changed. The Set-ExecutionPolicy cmdlet is available, but PowerShell displays a console message that it's not supported. An execution policy is part of the PowerShell security strategy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, or run scripts. And, whether scripts must be digitally signed before they are run. The Set-ExecutionPolicy cmdlet's default scope is LocalMachine, which affects everyone who uses the computer. To change the execution policy for LocalMachine, start PowerShell with Run as Administrator. To display the execution policies for each scope in the order of precedence, use Get-ExecutionPolicy -List. To see the effective execution policy for your PowerShell session use Get-ExecutionPolicy with no parameters.
Read More -
-
At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks. Update: I presented at BSides Charm (Baltimore) o...
Read More
Related rules
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Net WebClient Casing Anomalies
- PowerShell Remote Session Creation