Change PowerShell Policies to an Insecure Level - PowerShell
Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
Sigma rule (View on GitHub)
1title: Change PowerShell Policies to an Insecure Level - PowerShell
2id: 61d0475c-173f-4844-86f7-f3eebae1c66b
3related:
4 - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
5 type: similar
6 - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
7 type: similar
8 - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
9 type: similar
10status: test
11description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
12references:
13 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
14 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
15 - https://adsecurity.org/?p=2604
16author: frack113
17date: 2021/10/20
18modified: 2023/12/14
19tags:
20 - attack.execution
21 - attack.t1059.001
22logsource:
23 product: windows
24 category: ps_script
25 definition: 'Requirements: Script Block Logging must be enabled'
26detection:
27 selection_cmdlet:
28 ScriptBlockText|contains: 'Set-ExecutionPolicy'
29 selection_option:
30 ScriptBlockText|contains:
31 - 'Unrestricted'
32 - 'bypass'
33 filter_optional_chocolatey:
34 ScriptBlockText|contains:
35 - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
36 - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
37 condition: all of selection_* and not 1 of filter_optional_*
38falsepositives:
39 - Administrator script
40level: medium
References
-
The Set-ExecutionPolicy cmdlet changes PowerShell execution policies for Windows computers. For more information, see about_Execution_Policies. Beginning in PowerShell 6.0 for non-Windows computers, the default execution policy is Unrestricted and can't be changed. The Set-ExecutionPolicy cmdlet is available, but PowerShell displays a console message that it's not supported. An execution policy is part of the PowerShell security strategy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, or run scripts. And, whether scripts must be digitally signed before they are run. The Set-ExecutionPolicy cmdlet's default scope is LocalMachine, which affects everyone who uses the computer. To change the execution policy for LocalMachine, start PowerShell with Run as Administrator. To display the execution policies for each scope, use Get-ExecutionPolicy -List. To see the effective execution policy for your PowerShell session use Get-ExecutionPolicy with no parameters.
Read More -
-
At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks. Update: I presented at BSides Charm (Baltimore) o...
Read More
Related rules
- Alternate PowerShell Hosts Pipe
- Change PowerShell Policies to an Insecure Level
- New PowerShell Instance Created
- PowerView PowerShell Cmdlets - ScriptBlock
- Remote LSASS Process Access Through Windows Remote Management