{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/execution_policy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","execution_policy","bypass","security_controls"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often modify the PowerShell execution policy to bypass security restrictions and execute malicious scripts. The default execution policy in PowerShell restricts the execution of unsigned scripts. However, an attacker can change the execution policy to \u003ccode\u003eUnrestricted\u003c/code\u003e, allowing all scripts to run, or use the \u003ccode\u003eBypass\u003c/code\u003e flag to bypass all security checks for a single command. This modification is a common tactic used by attackers to execute malware, perform reconnaissance, or establish persistence on a compromised system. Detecting these changes is crucial for identifying potential malicious activity within an environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to modify the PowerShell execution policy. This can be done using the \u003ccode\u003eSet-ExecutionPolicy\u003c/code\u003e cmdlet with the \u003ccode\u003eUnrestricted\u003c/code\u003e parameter, or using the \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e flag when invoking PowerShell.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSet-ExecutionPolicy\u003c/code\u003e command modifies the registry key responsible for storing the PowerShell execution policy: \u003ccode\u003eHKLM:\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could invoke a single PowerShell command bypassing the current execution policy using \u003ccode\u003epowershell.exe -ExecutionPolicy Bypass -Command \u0026quot;malicious_command\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system’s PowerShell configuration is altered, enabling the execution of unsigned or malicious scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes malicious PowerShell scripts for various purposes, such as downloading malware, performing lateral movement, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe scripts leverage the now-unrestricted environment to perform actions that would normally be blocked, such as accessing sensitive files or making unauthorized network connections.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful modification of the PowerShell execution policy can lead to a complete compromise of the affected system. Attackers can use the unrestricted PowerShell environment to execute arbitrary code, bypass security controls, and perform malicious activities without being detected. This can result in data breaches, financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Execution Policy Changes\u003c/code\u003e to your SIEM to identify suspicious modifications to the PowerShell execution policy.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell script block logging and transcript logging to capture the commands executed and scripts run within PowerShell sessions, which can be used to further investigate detected anomalies.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of the \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e flag in PowerShell commands using the \u003ccode\u003eDetect PowerShell Bypass Execution Policy Flag\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eReview and audit PowerShell execution policy settings regularly to ensure they align with security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-powershell-execution-policy/","summary":"Detection of modifications to the PowerShell execution policy to 'Unrestricted' or use of the 'Bypass' flag indicates a potential attempt to execute unsigned or malicious scripts, bypassing security controls.","title":"Detection of PowerShell Execution Policy Changes to Unrestricted or Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-execution-policy/"}],"language":"en","title":"CraftedSignal Threat Feed - Execution_policy","version":"https://jsonfeed.org/version/1.1"}