Disable command prompt via Registry

About the rule

Rule Type

Standard

Rule Description

Detects attempts to disable the Command Prompt (CMD) by modifying the 'DisableCMD' registry value. This action is often indicative of malicious activity, such as a virus or a ransomware strain attempting to prevent the user or administrator from running repair scripts or manual cleanup commands.

Why this rule?

Disabling the command prompt through registry changes prevents administrators from using built-in tools for investigation and remediation. This technique restricts legitimate troubleshooting while allowing attackers to use alternative execution methods. Detection helps identify attempts to limit your incident response capabilities.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Persistence → Defense Evasion → Registry Modification (DisableCMD) → User/Admin cannot launch cmd.exe → Hindered incident response.

Impact

Prevents the execution of batch files and manual command-line troubleshooting, increasing the time an attacker remains active on the system before they can be removed.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System or the HKLM equivalent.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Modify Registry (T1112)

Future actions

Known False Positives

Administrative GPOs designed to restrict command-line access for standard users in environments like public kiosks, schools, or high-security call centers.

Next Steps

1. Identification: Check the OBJECTNAME to see if the change was applied to the Current User or the whole machine.
2. Analysis: Look for recent software installations that may have bundled this registry change.
3. Response: Re-enable CMD access via registry or GPO and investigate the process that initiated the lockdown.

Mitigation