Techniques
Sample rules
Change PowerShell Policies to an Insecure Level
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects changing the PowerShell script execution policy to a potentially insecure level using the “-ExecutionPolicy” flag.
Detection logic
condition: all of selection_*
selection_img:
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_level:
CommandLine|contains:
- Bypass
- Unrestricted
selection_option:
CommandLine|contains:
- '-executionpolicy '
- ' -ep '
- ' -exec '