Windows – PowerShell Execution Policy Bypass

PowerShell Execution Policy Bypass SIEM Detection Test

The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, it is used often by attackers and malicious software to execute code on a system without having administrative-level access.

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Set Up Instructions

How to Test PowerShell Execution Policy Bypass

Prerequisites:

Windows Server must be using NxLog integration and properly sending logs to Blumira
GPO Advanced Logging (Logmira) must be configured and properly sending logs to Blumira

Testing Steps:

1. Download our Blumira PowerShell Execution Policy Bypass testing script here; the file is non-threatening and is only used to demonstrate the detection

2. Open Command Prompt

3. Change to the directory that the above saved file is in.

4. Run the command PowerShell.exe PowershellTest.ps1

5. Output should resemble the following:

6. This detection test should trigger the finding “Potentially Malicious PowerShell Command – Event ID 4688” in your Blumira console

7. Open Powershell

8. Change to the directory that the above saved file is in.

9. Run the command .\PowershellTest.ps1

10. Output should resemble the following:

11. This detection test should trigger the finding “Potentially Malicious PowerShell Command – Event ID 4104” in your Blumira console

Windows – PowerShell Execution Policy Bypass

PowerShell Execution Policy Bypass SIEM Detection Test

Sign Up For Your Free Account Today

Set Up Instructions

How to Test PowerShell Execution Policy Bypass

Contact Sales

Reach Out