This detection rule identifies unauthorized modifications to the Windows registry that disable PowerShell logging for the currently logged-in user. PowerShell logging is essential for security monitoring, as it records script activity, script block execution, and transcription logs, which aid in incident response and forensic investigations. The rule specifically targets changes to certain registry keys related to PowerShell logging under the paths for Microsoft PowerShell and PowerShell Core. The detection is triggered when the registry values that control module logging, script block logging, or transcription are disabled (set to DWORD 0). Detected changes may signify an attempt to evade detection by disabling logging features that are critical for tracking PowerShell activities, which are often exploited during attacks. The rule is categorized under high severity, indicating the potential for serious threat implications. Frequent modifications to PowerShell logging settings may warrant suspicion and require further investigation.