detection.wiki

Detection rules › Sigma

PowerShell Logging Disabled Via Registry Key Tampering

Severity
high
Author
frack113
Source
upstream

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry, T1564.001 Hide Artifacts: Hidden Files and Directories

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
TargetObject|endswith: '\EnableScripts'
TargetObject|endswith: '\ModuleLogging\EnableModuleLogging'
TargetObject|endswith: '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
TargetObject|endswith: '\ScriptBlockLogging\EnableScriptBlockLogging'
TargetObject|endswith: '\Transcription\EnableInvocationHeader'
TargetObject|endswith: '\Transcription\EnableTranscripting'
or:
TargetObject|contains: '\Microsoft\PowerShellCore\'
TargetObject|contains: '\Microsoft\Windows\PowerShell\'
Details: 'DWORD (0x00000000)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000000) corpus 38 (sigma 38)
TargetObjectends_with
  • \EnableScripts
  • \ModuleLogging\EnableModuleLogging
  • \ScriptBlockLogging\EnableScriptBlockInvocationLogging
  • \ScriptBlockLogging\EnableScriptBlockLogging
  • \Transcription\EnableInvocationHeader
  • \Transcription\EnableTranscripting
TargetObjectmatch
  • \Microsoft\PowerShellCore\
  • \Microsoft\Windows\PowerShell\