PowerShell Script Execution Policy Enabled

    Date: 09/03/2024

    Severity: Medium

    Summary

    Detects the activation of the PowerShell script execution policy, which permits the execution of scripts once it is enabled.

    Indicators of Compromise (IOC) List

    TargetObject

    '\Policies\Microsoft\Windows\PowerShell\EnableScripts'

    Details

    'DWORD (0x00000001)'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourceName = "Sysmon"  AND eventtype = "13"  ) AND targetobject = "\Policies\Microsoft\Windows\PowerShell\EnableScripts"  ) AND details = "DWORD (0x00000001)"

    Detection Query 2

    ((Technologygroup = "EDR"  ) AND targetobject = "\Policies\Microsoft\Windows\PowerShell\EnableScripts"  ) AND details = "DWORD (0x00000001)"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags