PowerShell Script Execution Policy Enabled

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Sigma rule (View on GitHub)

 1title: PowerShell Script Execution Policy Enabled
 2id: 8218c875-90b9-42e2-b60d-0b0069816d10
 3related:
 4    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
 5      type: derived
 6status: test
 7description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
 8references:
 9    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
10author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
11date: 2023-10-18
12tags:
13    - attack.execution
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
20        Details: 'DWORD (0x00000001)'
21    condition: selection
22falsepositives:
23    - Likely
24level: low

References

Related rules

to-top