This rule is designed to detect tampering with the PowerShell execution policy on Windows systems. The execution policy dictates how PowerShell handles script execution and whether scripts must be signed. By changing this policy, malicious actors can potentially bypass security measures that require script signatures, allowing them to execute unsanctioned scripts. The rule focuses on monitoring changes made to specific registry keys associated with the PowerShell execution policy. The detection logic triggers when the value of these keys ends with the identifiers associated with PowerShell's execution policies, specifically when the policy is changed to 'Bypass' or 'Unrestricted'. This change may indicate an attempt to evade detection or security controls. For additional context, the rule also includes a filter to disregard changes occurring from recognized legitimate sources, enhancing its accuracy in identifying illicit modification versus benign activities. It's an essential component of proactive endpoint monitoring, enabling organizations to detect and respond to potential security breaches related to PowerShell usage.