Change PowerShell Policies to an Insecure Level - PowerShell
Detects use of Set-ExecutionPolicy to set insecure policies
Sigma rule (View on GitHub)
1title: Change PowerShell Policies to an Insecure Level - PowerShell
2id: 61d0475c-173f-4844-86f7-f3eebae1c66b
3related:
4 - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
5 type: similar
6 - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
7 type: similar
8 - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
9 type: similar
10status: test
11description: Detects use of Set-ExecutionPolicy to set insecure policies
12references:
13 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
14 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
15 - https://adsecurity.org/?p=2604
16author: frack113
17date: 2021/10/20
18modified: 2022/12/30
19tags:
20 - attack.execution
21 - attack.t1059.001
22logsource:
23 product: windows
24 category: ps_script
25 definition: 'Requirements: Script Block Logging must be enabled'
26detection:
27 cmdlet:
28 ScriptBlockText|contains: 'Set-ExecutionPolicy'
29 option:
30 ScriptBlockText|contains:
31 - 'Unrestricted'
32 - 'bypass'
33 - 'RemoteSigned'
34 filter:
35 # - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' Powershell event id 4104 do not have ParentImage
36 ScriptBlockText|contains:
37 - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
38 - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
39 - '\AppData\Roaming\Code\'
40 condition: cmdlet and option and not filter
41falsepositives:
42 - Administrator script
43level: medium
References
Related rules
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Net WebClient Casing Anomalies
- PowerShell Remote Session Creation