PowerShell Script Execution Monitoring Disabled

About the rule

Rule Type

Standard

Rule Description

Detects attempts to disable PowerShell Script Block Logging or Module Logging by modifying registry keys. This is a common defense evasion technique to prevent security teams from seeing the content of malicious PowerShell scripts.

Why this rule?

Disabling PowerShell logging allows attackers to execute malicious scripts without leaving forensic evidence. This defensive evasion technique is a strong indicator that an adversary is attempting to hide their activities. Monitoring for this change helps identify when attackers are trying to operate undetected in your environment.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Privilege Escalation → Defense Evasion → Registry Modification → Blindspot creation for security monitoring.

Impact

Loss of visibility into PowerShell activity, allowing malicious scripts to run undetected and hindering forensic investigation.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Modify Registry (T1112)

Future actions

Known False Positives

Changes made by IT administrators to troubleshoot logging-related performance issues or during authorized system maintenance.

Next Steps

1. Identification: Identify the user account and process that initiated the registry change.
2. Analysis: Determine if the change aligns with an authorized Group Policy update.
3. Response: Revert the registry keys to ensure logging is active and investigate the source of the unauthorized change.

Mitigation