Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass

Description

Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

, Adversary Tactics

Alert Volume

Low

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

PowerShell
Scripting

Kill Chain Phases

Installation
Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass Help

This search looks for changes of the ExecutionPolicy in the registry. The ExecutionPolicy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. Usually, the ExecutionPolicy is "Restricted" for Windows clients and "RemoteSigned" for Windows Servers, allowing only certain scripts to run. This search detects when an attacker sets the ExecutionPolicy to "Unrestricted" or "Bypass."