fbpx
Back Arrow Back to All Integrations

PowerShell Execution Policy Bypass

PowerShell Execution Policy Bypass

PowerShell Execution Policy Bypass SIEM Detection Test

The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, it is used often by attackers and malicious software to execute code on a system without having administrative-level access.

Set Up Instructions

How to Test PowerShell Execution Policy Bypass

Prerequisites:

Testing Steps:

  1. Download our Blumira PowerShell Execution Policy Bypass testing script here, the file is non-threatening and is only used to demonstrate the detection
  2. Open Command Prompt
  3. Run the command PowerShell.exe -ExecutionPolicy Bypass -File blumira_test.ps1
  4. Output should resemble the following:PowerShell Execution Policy Bypass
  5. This detection test should trigger a finding in your Blumira console