{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/execution-policy-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","execution-policy-bypass","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell processes initiated with parameters designed to bypass the local execution policy, such as \u003ccode\u003e-ex\u003c/code\u003e or \u003ccode\u003ebypass\u003c/code\u003e. Attackers frequently employ this tactic to execute malicious scripts without triggering security restrictions. Bypassing the execution policy allows unauthorized scripts to run, potentially leading to arbitrary code execution, system compromise, data exfiltration, or establishing persistent access within the targeted environment. The detection uses data from Endpoint Detection and Response (EDR) agents to analyze process command lines and identify instances where execution policies are circumvented. This technique is observed across various threat actors and malware families, including those detailed in DHS Report TA18-074A, Volt Typhoon, HAFNIUM, AsyncRAT, and MuddyWater campaigns, highlighting the broad utility and persistent relevance of this bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access via an unknown method, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker attempts to elevate privileges using exploits or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePowerShell Invocation:\u003c/strong\u003e The attacker invokes PowerShell.exe to run malicious commands or scripts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution Policy Bypass:\u003c/strong\u003e The attacker uses command-line parameters such as \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e, \u003ccode\u003e-ep Bypass\u003c/code\u003e, or \u003ccode\u003e-ex Bypass\u003c/code\u003e to circumvent local execution policy restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Script Execution:\u003c/strong\u003e The PowerShell script downloads and executes a payload or performs malicious actions directly in memory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker leverages PowerShell to access credentials stored on the system or within the Active Directory environment, using tools like PowerSploit's \u003ccode\u003eInvoke-Mimikatz.ps1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using compromised credentials, the attacker moves laterally to other systems on the network via SMB/Windows Admin Shares.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence/Data Exfiltration:\u003c/strong\u003e Depending on the objective, the attacker establishes persistence through scheduled tasks or registry modifications, exfiltrates sensitive data, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful PowerShell execution policy bypass can result in complete system compromise. Observed impacts range from data theft to ransomware deployment, potentially affecting entire organizations. The consequences of this attack include the execution of arbitrary code, unauthorized access to sensitive data, and the establishment of persistent backdoors. The wide adoption of PowerShell in enterprise environments makes this a critical attack vector, allowing attackers to leverage legitimate tools for malicious purposes. Specific campaigns like Volt Typhoon have used similar techniques to target US critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMalicious PowerShell Execution Policy Bypass\u003c/code\u003e to your SIEM to detect instances of this behavior and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and restrict PowerShell execution policies within your environment to limit the ability of attackers to bypass these security controls (reference: detection description).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where PowerShell is invoked with bypass parameters, even if the script appears legitimate at first glance (reference: \u003ccode\u003eknown_false_positives\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon EventID 1 and Windows Event Log Security 4688 to ensure complete command-line auditing for PowerShell processes (reference: \u003ccode\u003edata_source\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eMap your EDR logs to the Endpoint data model to ensure compatibility with this and other endpoint-focused detections (reference: \u003ccode\u003ehow_to_implement\u003c/code\u003e section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-powershell-execution-policy-bypass/","summary":"The analytic detects PowerShell processes using command-line parameters to bypass the execution policy, often used by attackers to run malicious scripts undetected, leading to potential code execution, data exfiltration, or persistence.","title":"PowerShell Execution Policy Bypass Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-execution-policy-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Execution-Policy-Bypass","version":"https://jsonfeed.org/version/1.1"}