Detection rules › Sigma

PowerShell Script Execution Policy Enabled

Status
test
Severity
low
Author
Nasreddine Bencherchali (Nextron Systems), Thurein Oo
Source
github.com/SigmaHQ/sigma

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: PowerShell Script Execution Policy Enabled
id: 8218c875-90b9-42e2-b60d-0b0069816d10
related:
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
      type: derived
status: test
description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
references:
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-18
tags:
    - attack.execution
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Likely
level: low

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
    Details: 'DWORD (0x00000001)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000001) corpus 42 (sigma 38, chronicle 4)
TargetObjectends_with
  • \Policies\Microsoft\Windows\PowerShell\EnableScripts