Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass
Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts.
This content is not mapped to any local saved search. Add mapping
Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass Help
This search looks for changes of the ExecutionPolicy in the registry. The ExecutionPolicy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. Usually, the ExecutionPolicy is "Restricted" for Windows clients and "RemoteSigned" for Windows Servers, allowing only certain scripts to run. This search detects when an attacker sets the ExecutionPolicy to "Unrestricted" or "Bypass."