Detection of PowerShell Execution Policy Changes to Unrestricted or Bypass
Detection of modifications to the PowerShell execution policy to 'Unrestricted' or use of the 'Bypass' flag indicates a potential attempt to execute unsigned or malicious scripts, bypassing security controls.
Attackers often modify the PowerShell execution policy to bypass security restrictions and execute malicious scripts. The default execution policy in PowerShell restricts the execution of unsigned scripts. However, an attacker can change the execution policy to Unrestricted, allowing all scripts to run, or use the Bypass flag to bypass all security checks for a single command. This modification is a common tactic used by attackers to execute malware, perform reconnaissance, or establish persistence on a compromised system. Detecting these changes is crucial for identifying potential malicious activity within an environment.
Attack Chain
- The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
- The attacker executes a command to modify the PowerShell execution policy. This can be done using the
Set-ExecutionPolicycmdlet with theUnrestrictedparameter, or using the-ExecutionPolicy Bypassflag when invoking PowerShell. - The
Set-ExecutionPolicycommand modifies the registry key responsible for storing the PowerShell execution policy:HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell. - Alternatively, the attacker could invoke a single PowerShell command bypassing the current execution policy using
powershell.exe -ExecutionPolicy Bypass -Command "malicious_command". - The system’s PowerShell configuration is altered, enabling the execution of unsigned or malicious scripts.
- The attacker then executes malicious PowerShell scripts for various purposes, such as downloading malware, performing lateral movement, or exfiltrating data.
- The scripts leverage the now-unrestricted environment to perform actions that would normally be blocked, such as accessing sensitive files or making unauthorized network connections.
- The attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.
Impact
A successful modification of the PowerShell execution policy can lead to a complete compromise of the affected system. Attackers can use the unrestricted PowerShell environment to execute arbitrary code, bypass security controls, and perform malicious activities without being detected. This can result in data breaches, financial losses, reputational damage, and disruption of business operations.
Recommendation
- Deploy the Sigma rule
Detect PowerShell Execution Policy Changesto your SIEM to identify suspicious modifications to the PowerShell execution policy. - Enable PowerShell script block logging and transcript logging to capture the commands executed and scripts run within PowerShell sessions, which can be used to further investigate detected anomalies.
- Monitor for the use of the
-ExecutionPolicy Bypassflag in PowerShell commands using theDetect PowerShell Bypass Execution Policy FlagSigma rule. - Implement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.
- Review and audit PowerShell execution policy settings regularly to ensure they align with security best practices.
Detection coverage 2
Detect PowerShell Execution Policy Changes
highDetects changes to the PowerShell execution policy, specifically when set to 'Unrestricted'.
Detect PowerShell Bypass Execution Policy Flag
mediumDetects the use of the '-ExecutionPolicy Bypass' flag in PowerShell commands.
Detection queries are available on the platform. Get full rules →