Potential PowerShell Execution Policy Tampering

calendar Dec 21, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Sigma rule (View on GitHub)

 1title: Potential PowerShell Execution Policy Tampering
 2id: fad91067-08c5-4d1a-8d8c-d96a21b37814
 3related:
 4    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry
 5      type: similar
 6    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
 7      type: similar
 8    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
 9      type: similar
10status: experimental
11description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
12references:
13    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023/01/11
16modified: 2023/12/14
17tags:
18    - attack.defense_evasion
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection:
24        TargetObject|endswith:
25            # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux
26            # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there
27            # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3
28            - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
29            - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
30        Details|contains:
31            - 'Bypass'
32            - 'Unrestricted'
33    filter_main_svchost:
34        # Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example.
35        Image|contains:
36            - ':\Windows\System32\'
37            - ':\Windows\SysWOW64\'
38    condition: selection and not 1 of filter_main_*
39falsepositives:
40    - Unknown
41level: medium

References

  • Set-ExecutionPolicy (Microsoft.PowerShell.Security) - PowerShell

    The Set-ExecutionPolicy cmdlet changes PowerShell execution policies for Windows computers. For more information, see about_Execution_Policies. Beginning in PowerShell 6.0 for non-Windows computers, the default execution policy is Unrestricted and can't be changed. The Set-ExecutionPolicy cmdlet is available, but PowerShell displays a console message that it's not supported. An execution policy is part of the PowerShell security strategy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, or run scripts. And, whether scripts must be digitally signed before they are run. The Set-ExecutionPolicy cmdlet's default scope is LocalMachine, which affects everyone who uses the computer. To change the execution policy for LocalMachine, start PowerShell with Run as Administrator. To display the execution policies for each scope, use Get-ExecutionPolicy -List. To see the effective execution policy for your PowerShell session use Get-ExecutionPolicy with no parameters.


    Read More

Related rules

to-top