there may be legitimate reasons to bypass the powershell execution policy. the powershell script being run with this parameter should be validated to ensure that it is legitimate.

Techniques

T1059.001

Sample rules

Malicious PowerShell Process - Execution Policy Bypass

source: splunk
technicques:
- T1059.001

Description

The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like “-ex” or “bypass.” This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment.

Detection logic


| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE `process_powershell` (Processes.process="* -ex*"
    AND
    Processes.process="* bypass *")
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `malicious_powershell_process___execution_policy_bypass_filter`