PowerShell Script Execution Policy Enabled
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
Sigma rule (View on GitHub)
1title: PowerShell Script Execution Policy Enabled
2id: 8218c875-90b9-42e2-b60d-0b0069816d10
3related:
4 - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
5 type: derived
6status: test
7description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
8references:
9 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
10author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
11date: 2023-10-18
12tags:
13 - attack.execution
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
20 Details: 'DWORD (0x00000001)'
21 condition: selection
22falsepositives:
23 - Likely
24level: low
References
Related rules
- ChromeLoader Malware Execution
- DarkGate - Autoit3.EXE Execution Parameters
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Diamond Sleet APT File Creation Indicators
- Diamond Sleet APT Process Activity Indicators