PowerShell Script Execution Policy Enabled

Severity: low
Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
Source: upstream

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

Details: 'DWORD (0x00000001)'
TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`DWORD (0x00000001)` corpus 37 (sigma 37)
`TargetObject`	ends_with	`\Policies\Microsoft\Windows\PowerShell\EnableScripts`

PowerShell Script Execution Policy Enabled

Event coverage

Stages and Predicates

Stage 1: selection

Indicators

Stage 1: `selection`