Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: What does BYPASS_POLICY TTP mean?

Cb Defense: What does BYPASS_POLICY TTP mean?

Environment

  • Cb Defense Web Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Question

What does BYPASS_POLICY TTP mean? The Cb Defense User Guide does not provide sufficient information on the BYPASS_POLICY TTP.
 

Answer

  • BYPASS_POLICY TTP is set when we identify a driver callback that includes specially crafted command line arguments and an application attempted to bypass the device’s default security policy. See Cb Defense User Guide.
  • What this means is that BYPASS_POLICY TTP is added anytime the Sensor observes that something is trying to bypass the PowerShell execution policy. 

Additional Notes

  • There are several ways that you can bypass the PowerShell execution policy. You can execute “powershell –ExecutionPolicy Bypass” and it will start a PowerShell session that allows for running scripts and keeps the lowered permissions isolated to just the current running process. Nothing is blocked and there are no warnings or prompts.  
  • You can also execute “powershell –ExecutionPolicy Unrestricted” and it will start a powershell that Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs. 

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-12-2018
Views:
979
Contributors