The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, it is used often by attackers and malicious software to execute code on a system without having administrative-level access.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
1. Download our Blumira PowerShell Execution Policy Bypass testing script here; the file is non-threatening and is only used to demonstrate the detection
2. Open Command Prompt
3. Change to the directory that the above saved file is in.
4. Run the command
6. This detection test should trigger the finding “Potentially Malicious PowerShell Command – Event ID 4688” in your Blumira console
7. Open Powershell
8. Change to the directory that the above saved file is in.
9. Run the command
11. This detection test should trigger the finding “Potentially Malicious PowerShell Command – Event ID 4104” in your Blumira console