Execution Policy Bypass

ID

execution_policy_bypass

Severity

critical

Resource

System

Tags

evader, trojan, worm

Description

This detector looks for code that tries to change the powershell execution policy to Bypass.

Rationale

Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.

Related Malware campaigns

This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:

  • Volt Typhoon has been operational since at least 2021, focusing on espionage and information gathering activities.

References