Query Details
Device Power Shell Execution Mode Changed
Query
//Detect when a non system account changes the PowerShell execution policy on a device //Data connector required for this query - M365 Defender - Device* tables DeviceEvents | where ActionType == "PowerShellCommand" | where InitiatingProcessFileName == "powershell.exe" | where InitiatingProcessAccountName != "system" | where AdditionalFields.Command == "Set-ExecutionPolicy" | project TimeGenerated, DeviceName, InitiatingProcessAccountName
Explanation
This query is used to detect when a non-system account changes the PowerShell execution policy on a device. It looks for events in the DeviceEvents table where the ActionType is "PowerShellCommand" and the InitiatingProcessFileName is "powershell.exe". It then filters out events where the InitiatingProcessAccountName is "system" and the AdditionalFields.Command is "Set-ExecutionPolicy". The query projects the TimeGenerated, DeviceName, and InitiatingProcessAccountName fields for further analysis.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,PowerShellCommand,InitiatingProcessFileName,InitiatingProcessAccountName,AdditionalFields,Command,Set-ExecutionPolicy,TimeGenerated,DeviceName
Operators
where==!=project