PowerShell Execution Policy Bypass SIEM Detection Test
The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, it is used often by attackers and malicious software to execute code on a system without having administrative-level access.How to Test PowerShell Execution Policy Bypass
Prerequisites:- Windows Server must be using NxLog integration and properly sending logs to Blumira
- GPO Advanced Logging (Logmira) must be configured and properly sending logs to Blumira
Testing Steps:
- Download our Blumira PowerShell Execution Policy Bypass testing script here; the file is non-threatening and is only used to demonstrate the detection
- Open Command Prompt
- Change to the directory that the above saved file is in.
- Run the command
PowerShell.exe PowershellTest.ps1 - Output should resemble the following:
- This detection test should trigger the finding "Potentially Malicious PowerShell Command - Event ID 4688" in your Blumira console
- Open Powershell
- Change to the directory that the above saved file is in.
- Run the command
.\PowershellTest.ps1 - Output should resemble the following:
- This detection test should trigger the finding "Potentially Malicious PowerShell Command - Event ID 4104" in your Blumira console
Additional Security Resources
View All Posts
Product Updates
6 min read
| July 22, 2024
Detect and Respond to Azure Threats With Blumira: Easy Cloud SIEM Setup
Read More
Security Trends and Info
5 min read
| April 26, 2024
Detecting and Preventing Ransomware Attacks in Microsoft Environments
Read More
Security Alerts
8 min read
| April 19, 2024
Why are Threat Actors enabling Windows Restricted Admin mode?
Read MoreGet Started for Free
Experience the Blumira Free SIEM, with automated detection and response plus compliance reports for 3 cloud connectors, forever.
