Solved: Assistance with Alerts Related to PowerShell Execu...

kn450 · ‎01-05-2025

Hello everyone,

I am facing an issue with the alerts triggered by the "Set Default PowerShell Execution Policy To Unrestricted or Bypass" (Correlation Search) rule in Splunk, as many alerts are being generated unexpectedly.

After reviewing the details, I added the command `| stats count BY process_name` to analyze the data more precisely. After executing this, the result was 389 processes within 24 hours. However, it seems there might be false positives and I’m unable to determine if this alert is normal or if there’s a misconfiguration.

I would appreciate any help in identifying whether these alerts are expected or if there is an issue with the configuration or the rule itself.

Any assistance or advice would be greatly appreciated.

Thank you in advance.

General_Talos · ‎01-05-2025

Hey,

If you’re referring to the correlation search detailed at Splunk Research, here are some suggestions to help reduce false positives (though these depend on your current user activity patterns):

- Identify list of legitimate users or admins who are authorized to perform such PowerShell activities by running:

| stats count BY process_name user process_path

- Initially, you can try excluding processes running from trusted directories like C:\\Windows\\System32\\* or C:\\Program Files\\*. However, note that some ransomware has been observed executing from the System32 directory as a parent process. So, consider excluding these paths only after analyzing and reducing the alert volume:

| where NOT (process_path IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*") AND user IN ("admin_user"))
| stats count BY process_name user process_path

- Pay close attention to processes that frequently appear. Cross-reference them with known benign activities to further refine your filtering logic.

- If the alerts are not time-sensitive, consider reducing the correlation search frequency (e.g., to every 6 hours) to mitigate alert fatigue.

View solution in original post

General_Talos · ‎01-05-2025

Hey,

If you’re referring to the correlation search detailed at Splunk Research, here are some suggestions to help reduce false positives (though these depend on your current user activity patterns):

- Identify list of legitimate users or admins who are authorized to perform such PowerShell activities by running:

| stats count BY process_name user process_path

- Initially, you can try excluding processes running from trusted directories like C:\\Windows\\System32\\* or C:\\Program Files\\*. However, note that some ransomware has been observed executing from the System32 directory as a parent process. So, consider excluding these paths only after analyzing and reducing the alert volume:

| where NOT (process_path IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*") AND user IN ("admin_user"))
| stats count BY process_name user process_path

- Pay close attention to processes that frequently appear. Cross-reference them with known benign activities to further refine your filtering logic.

- If the alerts are not time-sensitive, consider reducing the correlation search frequency (e.g., to every 6 hours) to mitigate alert fatigue.

Assistance with Alerts Related to PowerShell Execution Policy in Splunk

correlation search

investigation

using Enterprise Security

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?