there may be legitimate reasons to bypass the powershell execution policy. the powershell script being run with this parameter should be validated to ensure that it is legitimate.

t1059
t1059.001
endpoint
splunk

Techniques

T1059
T1059.001

Sample rules

Malicious PowerShell Process - Execution Policy Bypass

source: splunk
technicques:
- T1059
- T1059.001

Description

This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.

Detection logic


| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `malicious_powershell_process___execution_policy_bypass_filter`