title: Windows PowerShell Execution Policy Bypass
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
status: stable
description: Detects attempts to bypass PowerShell execution policy
author: Test Author
date: 2025/01/15
references:
  - https://example.com/sigma-test
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - '-ExecutionPolicy Bypass'
      - '-ep bypass'
      - 'Set-ExecutionPolicy Bypass'
  condition: selection
falsepositives:
  - Legitimate admin scripts
  - CI/CD pipelines
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - attack.t1562.001