BETA DETECTION: DEEP#DOOR | PowerShell Script Block and Transcription Logging Suppression

name: PowerShell Script Block and Transcription Logging Suppression Analytic
category: "Defense Evasion"
threatname: "Impair Defenses: Indicator Blocking"
functionality: "Endpoint Management Systems"
description: |
  Detects registry modifications that disable PowerShell Script Block Logging
  or Transcription Logging under the Windows PowerShell policy keys.
  Deep#Door suppresses these controls to prevent logging of its obfuscated
  PowerShell execution chain, including embedded payload extraction commands.
  Disabling these features removes visibility into decoded runtime commands
  and hinders forensic reconstruction of the staging sequence.
reference:
labels:
  - attack.defense_evasion
  - attack.t1562.006
  - Deep#Door
logsource:
  category: registry_event
  product: windows
detection:
  selection:
    EventType: "SetValue"
    TargetObject|contains:
      - '\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging'
      - '\PowerShell\Transcription\EnableTranscripting'
    description:
      - "0"
      - "DWORD (0x00000000)"
  condition: selection
criticality: High
saveasthreat: false

violation_summary:
  grouping_attribute: "accountname"
  level2_attribute:
  level2_metadata_attributes:
  metadata_attributes:

TECHNICAL DETAILS

    Adversaries, including Deep#Door, have been observed modifying PowerShell policy
    registry keys to disable security logging. Specifically, the following registry
    paths may be set to '0' to suppress telemetry:
    'HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging'
    'HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting'

    These keys are normally used by defenders and administrators to enable enhanced
    PowerShell visibility. Setting them to '0' disables Script Block Logging and
    Transcription Logging, reducing the ability to capture decoded commands and
    investigate malicious execution chains.
  Falsepositives: |
    - Legitimate administrative or Group Policy changes could potentially modify these
      values, although setting them to disabled is uncommon in well-monitored environments.
    - Consider filtering activity associated with known administrative tools, approved
      configuration management systems, or documented change management events.

Policy building walkthrough can be found in this previous post:

https://connect.securonix.com/threat%2Dresearch%2Dintelligence%2D62/beta%2Ddetection%2Dtelnyx%2Dteampcp%2Dcredential%2Dexfiltration%2D241