Techniques
Sample rules
Change PowerShell Policies to an Insecure Level
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects changing the PowerShell script execution policy to a potentially insecure level using the “-ExecutionPolicy” flag.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_powershell_core:
CommandLine|contains:
- -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\
- -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files (x86)\PowerShell\7\
ParentImage:
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\msiexec.exe
filter_optional_avast:
CommandLine|contains:
- -ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast
- -ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\
ParentImage|contains:
- C:\Program Files\Avast Software\Avast\
- C:\Program Files (x86)\Avast Software\Avast\
- \instup.exe
selection_img:
- OriginalFileName:
- powershell_ise.exe
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
selection_level:
CommandLine|contains:
- Bypass
- Unrestricted
selection_option:
CommandLine|contains:
- '-executionpolicy '
- ' -ep '
- ' -exec '