Query Details

Changing Powershell Execution Policy To Insecure Level

Query

let Timeframe = 7d; // Choose the best timeframe for your investigation
let cmdlet = dynamic([@'-executionpolicy ', @' -ep ', @' -exec ']); 
let parameters = dynamic([@'Bypass ', @'Unrestricted']); 
let exinitapps = datatable(excludedinitapps :string)  // Add as many initiating process filenames you would like to exclude
 ["applicationfilename1.exe",
  "applicationfilename2.exe",
  "applicationfilename3.exe"];
  let exparinitapps = datatable(excludedparinitapps :string)  // Add as many initiating parent process filenames you would like to exclude
 ["applicationfilename1.exe",
  "applicationfilename2.exe",
  "applicationfilename3.exe"];
DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | where ProcessCommandLine has_any(cmdlet) and ProcessCommandLine has_any(parameters)
    | where not(InitiatingProcessFileName in (['exinitapps']))
    | where not(InitiatingProcessParentFileName in (['exparinitapps']))
    | sort by Timestamp desc

About this query

Changing PowerShell execution policy to insecure level

Description

PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This query will help you identify execution policy changes. Also, you may fine tune the query by excluding InitiatingProcessFileName and InitiatingProcessParentFileName from your environment's applications.

References

Microsoft XDR

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.024/12/2023Initial publish

Explanation

This query is designed to help you identify instances where the PowerShell execution policy has been changed to a less secure level, such as "Bypass" or "Unrestricted". The execution policy is a security feature in PowerShell that controls how scripts are executed and loaded.

Here's a simple breakdown of what the query does:

  1. Timeframe: It looks at events from the past 7 days (this can be adjusted as needed).

  2. Cmdlet and Parameters: It specifically searches for command lines that include certain PowerShell parameters indicating an execution policy change, such as -executionpolicy, -ep, or -exec, followed by Bypass or Unrestricted.

  3. Exclusions: The query allows you to exclude certain applications from your environment by specifying their filenames. This helps in reducing false positives by ignoring known safe applications that might change execution policies as part of their normal operation.

  4. Data Source: It uses DeviceProcessEvents to find relevant process events.

  5. Filtering and Sorting: It filters out events based on the specified criteria and sorts them by the most recent first.

  6. Purpose: The goal is to detect potentially insecure changes to PowerShell's execution policy, which could indicate malicious activity or policy violations.

This query is mapped to the MITRE ATT&CK framework under the Execution tactic, specifically the PowerShell technique (T1059.001), which involves using command and scripting interpreters.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: December 24, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

letdynamicdatatableDeviceProcessEventswherehas_anynotinsortbydescago

MITRE Techniques

Actions

GitHub