Date: 09/03/2024
Severity: Medium
Summary
Detects the activation of the PowerShell script execution policy, which permits the execution of scripts once it is enabled.
Indicators of Compromise (IOC) List
TargetObject | '\Policies\Microsoft\Windows\PowerShell\EnableScripts' |
Details | 'DWORD (0x00000001)' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourceName = "Sysmon" AND eventtype = "13" ) AND targetobject = "\Policies\Microsoft\Windows\PowerShell\EnableScripts" ) AND details = "DWORD (0x00000001)" |
Detection Query 2 | ((Technologygroup = "EDR" ) AND targetobject = "\Policies\Microsoft\Windows\PowerShell\EnableScripts" ) AND details = "DWORD (0x00000001)" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml