28 lines
655 B
YAML
28 lines
655 B
YAML
title: Windows PowerShell Execution Policy Bypass
|
|
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
|
|
status: stable
|
|
description: Detects attempts to bypass PowerShell execution policy
|
|
author: Test Author
|
|
date: 2025/01/15
|
|
references:
|
|
- https://example.com/sigma-test
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
CommandLine|contains:
|
|
- '-ExecutionPolicy Bypass'
|
|
- '-ep bypass'
|
|
- 'Set-ExecutionPolicy Bypass'
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate admin scripts
|
|
- CI/CD pipelines
|
|
level: high
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.defense_evasion
|
|
- attack.t1562.001
|