Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Sigma rule (View on GitHub)
1title: Change PowerShell Policies to an Insecure Level
2id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
3related:
4 - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
5 type: similar
6 - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock
7 type: similar
8 - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
9 type: similar
10status: test
11description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
12references:
13 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
14 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
15 - https://adsecurity.org/?p=2604
16 - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
17author: frack113
18date: 2021/11/01
19modified: 2023/12/13
20tags:
21 - attack.execution
22 - attack.t1059.001
23logsource:
24 product: windows
25 category: process_creation
26detection:
27 selection_img:
28 - OriginalFileName:
29 - 'PowerShell.EXE'
30 - 'pwsh.dll'
31 - Image|endswith:
32 - '\powershell.exe'
33 - '\pwsh.exe'
34 selection_option:
35 CommandLine|contains:
36 - '-executionpolicy '
37 - ' -ep '
38 - ' -exec '
39 selection_level:
40 CommandLine|contains:
41 - 'Bypass'
42 - 'Unrestricted'
43 condition: all of selection_*
44falsepositives:
45 - Administrator scripts
46level: medium
References
-
The Set-ExecutionPolicy cmdlet changes PowerShell execution policies for Windows computers. For more information, see about_Execution_Policies. Beginning in PowerShell 6.0 for non-Windows computers, the default execution policy is Unrestricted and can't be changed. The Set-ExecutionPolicy cmdlet is available, but PowerShell displays a console message that it's not supported. An execution policy is part of the PowerShell security strategy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, or run scripts. And, whether scripts must be digitally signed before they are run. The Set-ExecutionPolicy cmdlet's default scope is LocalMachine, which affects everyone who uses the computer. To change the execution policy for LocalMachine, start PowerShell with Run as Administrator. To display the execution policies for each scope, use Get-ExecutionPolicy -List. To see the effective execution policy for your PowerShell session use Get-ExecutionPolicy with no parameters.
Read More -
-
At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks. Update: I presented at BSides Charm (Baltimore) o...
Read More -
This report will go through an intrusion from July that began with an email, which included a link to Google's Feed Proxy service that was used to download a malicious Word document. Upon the user enabling macros, a Hancitor dll was executed, which called the usual suspect, Cobalt Strike.
Read More
Related rules
- Alternate PowerShell Hosts Pipe
- Change PowerShell Policies to an Insecure Level - PowerShell
- New PowerShell Instance Created
- PowerView PowerShell Cmdlets - ScriptBlock
- Remote LSASS Process Access Through Windows Remote Management