← Back to Explore
sigmamediumHunting
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Detection Query
selection_img:
- OriginalFileName:
- powershell_ise.exe
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
selection_option:
CommandLine|contains:
- "-executionpolicy "
- " -ep "
- " -exec "
selection_level:
CommandLine|contains:
- Bypass
- Unrestricted
filter_main_powershell_core:
ParentImage:
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\msiexec.exe
CommandLine|contains:
- -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\
- -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files
(x86)\PowerShell\7\
filter_optional_avast:
ParentImage|contains:
- C:\Program Files\Avast Software\Avast\
- C:\Program Files (x86)\Avast Software\Avast\
- \instup.exe
CommandLine|contains:
- -ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast
- -ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
Author
frack113
Created
2021-11-01
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
- https://adsecurity.org/?p=2604
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
Tags
attack.executionattack.t1059.001
Raw Content
title: Change PowerShell Policies to an Insecure Level
id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
related:
- id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
type: similar
- id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock
type: similar
- id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
type: similar
status: test
description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
- https://adsecurity.org/?p=2604
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
author: frack113
date: 2021-11-01
modified: 2025-10-07
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName:
- 'powershell_ise.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
selection_option:
CommandLine|contains:
- '-executionpolicy '
- ' -ep '
- ' -exec '
selection_level:
CommandLine|contains:
- 'Bypass'
- 'Unrestricted'
filter_main_powershell_core:
ParentImage:
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\msiexec.exe'
CommandLine|contains:
- '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\'
- '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files (x86)\PowerShell\7\'
filter_optional_avast:
ParentImage|contains:
- 'C:\Program Files\Avast Software\Avast\'
- 'C:\Program Files (x86)\Avast Software\Avast\'
- '\instup.exe'
CommandLine|contains:
- '-ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast'
- '-ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrator scripts
level: medium