This guide focuses on PowerShell execution policies, explaining their importance, operation, management, impact on system security, and best practices. It seeks to provide an understanding of how these execution policies support effective script execution, and optimize system security in Windows environments.
- To change the PowerShell execution policy, open PowerShell (admin) and run the “Set-ExecutionPolicy RemoteSigned” command to set execution to allow scripts. The “Set-ExecutionPolicy AllSigned” command allows scripts from trusted publishers. Or the “Set-ExecutionPolicy Unrestricted” command allows scripts without restrictions.
- You can also run the “Set-ExecutionPolicy Restricted” to undo the changes and prevent scripts from running.
On Windows 11 (or 10), by default, when you try to run a script on PowerShell, it will fail with the “cannot be loaded because running scripts is disabled on this system” error message. This is because PowerShell has an “execution policy” security feature that controls how to load configuration files and run scripts to prevent malicious code from running on the system.
This guide will teach you how to change the execution policy to run scripts successfully on PowerShell on Windows 11 or 10.
To change the PowerShell execution policy on Windows 11 (or 10), use these steps:
Open Start on Windows 11.
Get-ExecutionPolicy
Get-ExecutionPolicy -List
Set-ExecutionPolicy RemoteSigned
Set-ExecutionPolicy Restricted
Once you complete the steps, you can execute the script again, and it should now run successfully on Windows 11. If you no longer want to allow scripts to run on your computer, you can run the optional command mentioned in the steps.
https://youtube.com/watch?v=PXwltlq6YhU%3Fversion%3D3%26rel%3D1%26showsearch%3D0%26showinfo%3D1%26iv_load_policy%3D1%26fs%3D1%26hl%3Den-US%26autohide%3D2%26wmode%3Dtransparent
On Windows 11, you can choose from four different execution policies to allow or deny scripts:
- Restricted — blocks any script file from running.
- RemoteSigned — allows scripts to be created on the computer. However, scripts created on another device won’t run without a trusted signature.
- AllSigned — allows all scripts to run. However, only if a trusted publisher has included a signature.
- Unrestricted — runs any script without restrictions.
You don’t need to change the execution policy if you need to run a script that does not have the required parameters and does not return output. Instead, you can use the PowerShell.exe -File "FILENAME" -ExecutionPolicy Bypass command to bypass the restrictions.
Try in Splunk Security Cloud
Description
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2024-05-12
- Author: Steven Dick, Patrick Bareiss, Splunk
- ID: c2590137-0b08-4985-9ec5-6ae23d92f63d
Annotations
ATT&CK
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1059 | Command and Scripting Interpreter | Execution |
Kill Chain Phase
- Installation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`]
| fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`
Macros
Required fields
List of fields required to use this analytic.
How To Implement
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 48.0 | 60 | 80 | A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
The ProblemJump To Solution
When I attempt to run a PowerShell script (for example, MyScript.ps1), I get the error:
Click to Copy
MyScript.ps1 cannot be loaded because the execution of scripts is disabled on this system.
How do I enable script execution?
What are PowerShell execution policies?
- AllSigned: With this policy, all scripts, including those created locally, must be digitally signed by a trusted publisher to execute. This approach ensures that only authorized scripts are permitted to run, but does run the risk of running any malicious scripts that have been signed.
- Bypass: This policy permits the execution of any script without restriction. This policy should be used with extreme caution, if at all, as it can potentially expose systems to security risks by permitting the execution of unsigned and unverified scripts.
- Default: With this type of policy, the default execution is set. Default sets the execution policy as restricted for Windows clients, and RemoteSigned for Windows servers. Both types of execution policies are explained below.
- RemoteSigned: This policy requires that scripts downloaded from the internet be digitally signed for execution and be permitted. Locally created scripts can be executed without digital signature. This policy is considered by many to provide a pragmatic balance between usability and security.
- Restricted:
- Undefined:
- Unrestricted: This policy grants unrestricted script execution, enabling both local and internet-sourced scripts to run without any restrictions. While convenient for development and testing, it should not be used in production environments owing to the significant security risks it represents.
In the subsequent sections, we will explore the management, best practices, and implications of PowerShell execution policies.
Common issues and solutions
Setting PowerShell execution policies can often lead to challenges impacting script and system operations. Some common issues include:
- Access Denied:
- Blocked scripts:
- Untrusted scripts:
- Elevate privileges:
- Script signing: When using policies like ‘AllSigned,’ ensure that scripts are properly signed using valid digital signatures. This prevents false “Access Denied” errors.
- Trust publishers: For ‘AllSigned’ and ‘RemoteSigned’ policies, establish trust with publishers by importing their certificates into the Certificate store.
- Unblock files:
- Check for scope issues: Be mindful of the execution policy scope. If encountering issues, ensure that the policy is set at the appropriate scope level.
- Check for group policy restrictions: In domain environments, Group Policies may enforce specific execution policies. Verify the Group Policy settings that apply to the system, as well as its location.
- Use PowerShell remoting
- Check security software: Some security software may interfere with script execution. Temporarily disable or adjust settings to troubleshoot.
- Check for conflicts: Be aware of potential conflicts between local and Group Policy settings. Ensure consistency in execution policy enforcement.
The Solution
To run PowerShell scripts, it may be necessary to change the PowerShell execution policy. The execution policy on most modern Windows systems is set to Restricted by default, preventing the execution of any PowerShell scripts. This is a security measure as PowerShell scripts can have powerful and dangerous functionality.
Click to Copy
To temporarily bypass the execution policy and run scripts in a single PowerShell session, we can specify the flag -ExecutionPolicy Bypass when starting PowerShell from Windows CMD or the Run dialog.
For example, the command below will run MyScript.ps1 without modifying the execution policy:
Click to Copy
powershell -noexit -ExecutionPolicy Bypass -File MyScript.ps1
To enable script execution permanently, we can use PowerShell’s Set-ExecutionPolicy cmdlet.
Click to Copy
This will allow execution of any locally written PowerShell scripts, but will also require that PowerShell scripts downloaded from the internet are digitally signed by a trusted publisher. This is the default setting for Windows Servers.
If this policy is still too restrictive, we can remove all restrictions with this command:
Click to Copy
This will allow any script to be executed. You will still be prompted for permission when executing a script from the internet.
A full list of execution policy options is available here.
Aligning with organizational security guidelines
Aligning Windows PowerShell execution policies with organizational security guidelines is vital for maintaining a secure and controlled scripting environment. Organizations often have specific security requirements and policies that dictate how scripts should be executed. By aligning execution policies with these guidelines, organizations can ensure consistency, reduce risks, and enhance overall security posture.
The Importance of regular audits and policy review
Regular audits and policy reviews ensure that execution policies remain effective and up to date. As organizational needs evolve and security threats change, execution policies may need adjustments.
Conducting periodic reviews allows organizations to:
- Adapt to a changing threat landscape: The cybersecurity landscape is dynamic. Regular policy reviews help organizations stay ahead of emerging threats and adjust policies accordingly.
- Evaluate policy effectiveness: Organizations can assess whether the current execution policies are effectively mitigating risks or if adjustments are necessary.
- Ensure compliance: Compliance requirements may change over time. Regular reviews help ensure that execution policies align with current compliance standards.
- Identify policy conflicts: In complex environments, policy conflicts or unintended side effects can occur. Regular audits help identify and resolve such issues.
- Maintain consistency:
- Mitigate unauthorized scripts: Regular reviews can help identify and address unauthorized or malicious scripts that may exist in production undetected.
With a well-defined and consistently enforced execution policy strategy, organizations can harness the power of PowerShell scripting while maintaining a robust security posture.
PowerShell execution policy best practices
- Production environment: In a production environment, it is prudent to adopt a more restrictive policy like ‘AllSigned’ or ‘RemoteSigned.’ This ensures that scripts are signed and authenticated before execution and reduces the risk of unauthorized or malicious code.
- Development environment: In a development environment, a more flexible policy like ‘Bypass’ or ‘Unrestricted’ may be used to facilitate testing and troubleshooting. However, these policies should not be carried over to production environments.
How to safely manage and change policies
Best practices for managing and altering PowerShell execution policies include:
- Document execution policies:
- Mandate script signing:
- Select the least permissive scope:
- Review policies: Regularly review and audit execution policies across the environment. Ensure that policies remain aligned with security requirements and organizational guidelines.
Managing PowerShell execution policies
- MachinePolicy:
- UserPolicy:
- Process:
- CurrentUser:
- LocalMachine:
A fundamental pillar of system security
PowerShell execution policies go beyond configuration rules and settings; they represent a commitment to consistent and secure IT operations. By adhering to the PowerShell execution policy best practices we’ve introduced, you are well on your way to a secure, efficient, and resilient Windows environment.
