Attempt To Set Default Powershell Execution Policy To Unrestricted Or Bypass

Description

Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts.

   Help

Attempt To Set Default Powershell Execution Policy To Unrestricted Or Bypass Help

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Registry node. You must also be ingesting logs with the fields registrypath, registrykeyname, and registryvalue_name from your endpoints.

   Search

Open in Search