Change PowerShell Policies to an Insecure Level

 1title: Change PowerShell Policies to an Insecure Level
 2id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
 3related:
 4    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
 5      type: similar
 6    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock
 7      type: similar
 8    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
 9      type: similar
10status: test
11description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
12references:
13    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
14    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
15    - https://adsecurity.org/?p=2604
16    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
17author: frack113
18date: 2021-11-01
19modified: 2025-10-07
20tags:
21    - attack.execution
22    - attack.t1059.001
23logsource:
24    product: windows
25    category: process_creation
26detection:
27    selection_img:
28        - OriginalFileName:
29              - 'powershell_ise.exe'
30              - 'PowerShell.EXE'
31              - 'pwsh.dll'
32        - Image|endswith:
33              - '\powershell_ise.exe'
34              - '\powershell.exe'
35              - '\pwsh.exe'
36    selection_option:
37        CommandLine|contains:
38            - '-executionpolicy '
39            - ' -ep '
40            - ' -exec '
41    selection_level:
42        CommandLine|contains:
43            - 'Bypass'
44            - 'Unrestricted'
45    filter_main_powershell_core:
46        ParentImage:
47            - 'C:\Windows\SysWOW64\msiexec.exe'
48            - 'C:\Windows\System32\msiexec.exe'
49        CommandLine|contains:
50            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\'
51            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files (x86)\PowerShell\7\'
52    filter_optional_avast:
53        ParentImage|contains:
54            - 'C:\Program Files\Avast Software\Avast\'
55            - 'C:\Program Files (x86)\Avast Software\Avast\'
56            - '\instup.exe'
57        CommandLine|contains:
58            - '-ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast'
59            - '-ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\'
60    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
61falsepositives:
62    - Administrator scripts
63level: medium

References

• Set-ExecutionPolicy (Microsoft.PowerShell.Security) - PowerShell

  

  The Set-ExecutionPolicy cmdlet changes PowerShell execution policies for Windows computers. For more information, see about_Execution_Policies. Beginning in PowerShell 6.0 for non-Windows computers, the default execution policy is Unrestricted and can't be changed. The Set-ExecutionPolicy cmdlet is available, but PowerShell displays a console message that it's not supported. An execution policy is part of the PowerShell security strategy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, or run scripts. And, whether scripts must be digitally signed before they are run. The Set-ExecutionPolicy cmdlet's default scope is LocalMachine, which affects everyone who uses the computer. To change the execution policy for LocalMachine, start PowerShell with Run as Administrator. To display the execution policies for each scope, use Get-ExecutionPolicy -List. To see the effective execution policy for your PowerShell session use Get-ExecutionPolicy with no parameters.

  
  Read More

• about_Execution_Policies - PowerShell

  

  Describes the PowerShell execution policies and explains how to manage them.

  
  Read More

• Detecting Offensive PowerShell Attack Tools

  

  At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks. Update: I presented at BSides Charm (Baltimore) on PowerShell attack & defense in April 2016. More information on PowerShell Security: PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection The most ...

  
  Read More

• From Zero to Domain Admin

  

  Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Up…

  
  Read More

Related rules

• Alternate PowerShell Hosts Pipe
• PowerShell Core DLL Loaded By Non PowerShell Process
• Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
• Raspberry Robin Initial Execution From External Drive
• Raspberry Robin Subsequent Execution of Commands