Environment
- Cb Defense Web Console: All Versions
- Cb Defense Sensor: All Versions
- Microsoft Windows: All Supported Versions
Question
What does BYPASS_POLICY TTP mean? The Cb Defense User Guide does not provide sufficient information on the BYPASS_POLICY TTP.
Answer
- BYPASS_POLICY TTP is set when we identify a driver callback that includes specially crafted command line arguments and an application attempted to bypass the device’s default security policy. See Cb Defense User Guide.
- What this means is that BYPASS_POLICY TTP is added anytime the Sensor observes that something is trying to bypass the PowerShell execution policy.
Additional Notes
- There are several ways that you can bypass the PowerShell execution policy. You can execute “powershell –ExecutionPolicy Bypass” and it will start a PowerShell session that allows for running scripts and keeps the lowered permissions isolated to just the current running process. Nothing is blocked and there are no warnings or prompts.
- You can also execute “powershell –ExecutionPolicy Unrestricted” and it will start a powershell that Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
Related Content