LoFP LoFP / administrators may attempt to change the default execution policy on a system for a variety of reasons. however, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. hits should be reviewed and investigated as appropriate.

Techniques

Sample rules

Set Default PowerShell Execution Policy To Unrestricted or Bypass

Description

The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to “Unrestricted” or “Bypass.” It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path Software\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`