Potential PowerShell Execution Policy Tampering

Rule Info

Name
Potential PowerShell Execution Policy Tampering
Description
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
Reference
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
Modified
None
Date
2023-01-11 00:00:00
Author
Nasreddine Bencherchali (Nextron Systems)
Tags
attack.defense_evasion DEMO
Id
fad91067-08c5-4d1a-8d8c-d96a21b37814
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=fad91067-08c5-4d1a-8d8c-d96a21b37814

Rule History

Author
Commit
Title
Date
Nasreddine Bencherchali
7c38a5c49
chore: add nextron authors tag
2023-02-01
Nasreddine Bencherchali
0470f4524
fix: apply suggestions from code review
2023-01-12
Nasreddine Bencherchali
d0b2e2cbb
fix: more fp and duplicate id
2023-01-11
Nasreddine Bencherchali
b6b1eba01
fix: fp and add related fields
2023-01-11
Nasreddine Bencherchali
debd658aa
feat: new rules related to appx packages
2023-01-11
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022