PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
Sigma rule (View on GitHub)
1title: PowerShell Logging Disabled Via Registry Key Tampering
2id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
3status: test
4description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
7author: frack113
8date: 2022-04-02
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1564.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains:
19 - '\Microsoft\Windows\PowerShell\' # PowerShell 5
20 - '\Microsoft\PowerShellCore\' # PowerShell 7
21 TargetObject|endswith:
22 - '\ModuleLogging\EnableModuleLogging'
23 - '\ScriptBlockLogging\EnableScriptBlockLogging'
24 - '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
25 - '\Transcription\EnableTranscripting'
26 - '\Transcription\EnableInvocationHeader'
27 - '\EnableScripts'
28 Details: 'DWORD (0x00000000)'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Displaying Hidden Files Feature Disabled
- Hidden Files and Directories
- Hiding Files with Attrib.exe
- Registry Persistence via Service in Safe Mode
- Set Suspicious Files as System Files Using Attrib.EXE