Potential PowerShell Execution Policy Tampering
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
Sigma rule (View on GitHub)
1title: Potential PowerShell Execution Policy Tampering
2id: fad91067-08c5-4d1a-8d8c-d96a21b37814
3related:
4 - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry
5 type: similar
6 - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
7 type: similar
8 - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
9 type: similar
10status: experimental
11description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
12references:
13 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023/01/11
16modified: 2023/10/18
17tags:
18 - attack.defense_evasion
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection:
24 TargetObject|endswith:
25 # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux
26 # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there
27 # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3
28 - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
29 - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
30 Details|contains:
31 - 'Bypass'
32 - 'RemoteSigned'
33 - 'Unrestricted'
34 filter_main_svchost:
35 # Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example.
36 Image|contains:
37 - ':\Windows\System32\'
38 - ':\Windows\SysWOW64\'
39 condition: selection and not 1 of filter_main_*
40falsepositives:
41 - Unknown
42level: medium
References
Related rules
- BITS Transfer Job Download From Direct IP
- Binary Padding - MacOS
- CobaltStrike Load by Rundll32
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Creation Of Non-Existent System DLL