Azure Security Center – Suspicious command line: powershell -exec bypass -encodedcommand

Last updated on: March 8th, 2021

Azure Security Center can report about the command line “powershell -exec bypass -encodedcommand” being used during vScope discoveries.

The command “-exec bypass” makes it possible to bypass the script execution policy in PowerShell. For example if it is set to “Restricted”, it’s not possible to run any scripts. Instead of setting the execution policy permanently on the machine, you can send a parameter to PowerShell which allows running the script in the encodedcommand.

 

Leave a Reply