PowerShell Script Execution Policy Enabled
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
Sigma rule (View on GitHub)
1title: PowerShell Script Execution Policy Enabled
2id: 8218c875-90b9-42e2-b60d-0b0069816d10
3related:
4 - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
5 type: derived
6status: experimental
7description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
8references:
9 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
10author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
11date: 2023/10/18
12tags:
13 - attack.execution
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
20 Details: 'DWORD (0x00000001)'
21 condition: selection
22falsepositives:
23 - Likely
24level: low
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Abusable DLL Potential Sideloading From Suspicious Location
- Add Windows Capability Via PowerShell Cmdlet
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact