Change PowerShell Policies to an Insecure Level

Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.

Sigma rule (View on GitHub)

 1title: Change PowerShell Policies to an Insecure Level
 2id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
 3related:
 4    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
 5      type: similar
 6    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock
 7      type: similar
 8    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
 9      type: similar
10status: test
11description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
12references:
13    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
14    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
15    - https://adsecurity.org/?p=2604
16    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
17author: frack113
18date: 2021-11-01
19modified: 2023-12-13
20tags:
21    - attack.execution
22    - attack.t1059.001
23logsource:
24    product: windows
25    category: process_creation
26detection:
27    selection_img:
28        - OriginalFileName:
29              - 'PowerShell.EXE'
30              - 'pwsh.dll'
31        - Image|endswith:
32              - '\powershell.exe'
33              - '\pwsh.exe'
34    selection_option:
35        CommandLine|contains:
36            - '-executionpolicy '
37            - ' -ep '
38            - ' -exec '
39    selection_level:
40        CommandLine|contains:
41            - 'Bypass'
42            - 'Unrestricted'
43    condition: all of selection_*
44falsepositives:
45    - Administrator scripts
46level: medium

References

Related rules

to-top