Disabling registry

About the rule

Rule Type

Standard

Rule Description

Detects attempts to disable registry editing tools (like regedit.exe) by modifying the 'DisableRegistryTools' registry value. This is a common tactic used by malware and attackers to prevent users or administrators from manually inspecting or reverting malicious registry changes.

Why this rule?

Disabling registry editing tools prevents administrators and security tools from investigating or remediating malicious registry changes. This defensive evasion technique helps attackers maintain persistence and protect their modifications from discovery. Detection indicates an adversary is actively trying to prevent incident response.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Persistence → Defense Evasion → Registry Modification (DisableRegistryTools) → Prevention of manual cleanup → Sustained presence on the host.

Impact

Hindrance of incident response activities and prevention of manual troubleshooting by IT staff or security analysts.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and the HKLM equivalent.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Modify Registry (T1112)

Future actions

Known False Positives

Enforcement of "Lockdown" policies via Group Policy (GPO) in high-security environments, kiosks, or shared educational computers.

Next Steps

1. Identification: Check if the change originated from a local process or a GPO update.
2. Analysis: Identify if other administrative tools (CMD, Task Manager) were disabled simultaneously.
3. Response: Use remote management tools to re-enable registry access and investigate the initiating process.

Mitigation