From 532b68cc93fd698a355934bb6d3d6efcb7f6c999 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Thu, 14 Aug 2025 17:29:45 -0300
Subject: [PATCH] [Rule Tuning] PowerShell Script Block Logging Disabled
 (#4980)

---
 ...ense_evasion_disable_posh_scriptblocklogging.toml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
index 928b4cd42..e2f700f34 100644
--- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
+++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/01/31"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/13"
 
 [rule]
 author = ["Elastic"]
@@ -89,7 +89,15 @@ registry where host.os.type == "windows" and event.type == "change" and
         "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
         "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
         "MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging"
-    ) and registry.data.strings : ("0", "0x00000000")
+    ) and registry.data.strings : ("0", "0x00000000") and
+    not (
+        process.executable : (
+          "?:\\Windows\\System32\\svchost.exe",
+          "?:\\Windows\\System32\\DeviceEnroller.exe",
+          "?:\\Windows\\system32\\omadmclient.exe",
+          "?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe"
+        ) and user.id == "S-1-5-18"
+    )
 '''