Attempt To Set Default Powershell Execution Policy To Unrestricted Or Bypass
Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts.
Attempt To Set Default Powershell Execution Policy To Unrestricted Or Bypass Help
You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Registry node. You must also be ingesting logs with the fields registrypath, registrykeyname, and registryvalue_name from your endpoints.
Open in Search