← Back to SOC feed Coverage →

PowerShell Script Execution Policy Enabled

sigma LOW SigmaHQ
imRegistry
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-31T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Detection Rule

Sigma (Original)

title: PowerShell Script Execution Policy Enabled
id: 8218c875-90b9-42e2-b60d-0b0069816d10
related:
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
      type: derived
status: test
description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
references:
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-18
tags:
    - attack.execution
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Likely
level: low

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" and RegistryValueData =~ "DWORD (0x00000001)"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" and RegistryValueData =~ "DWORD (0x00000001)"

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml