Potential PowerShell Execution Policy Tampering

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

or:
Details|contains: Bypass
Details|contains: Unrestricted
or:
TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
TargetObject|endswith: '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'

Stage 2: `not 1 of filter_main_svchost`

or:
Image|contains: ':\Windows\SysWOW64\'
Image|contains: ':\Windows\System32\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	match	`Bypass` `Unrestricted`
`Image`	match	`:\Windows\SysWOW64\` corpus 7 (sigma 7) `:\Windows\System32\` corpus 6 (sigma 6)
`TargetObject`	ends_with	`\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy` `\ShellIds\Microsoft.PowerShell\ExecutionPolicy`