Windows Credential Guard Related Registry Value Deleted via Registry

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects attempts to disable Windows Credential Guard by deleting registry values.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Registry Event" AND (( OBJECTNAME contains "\DeviceGuard" AND ( OBJECTNAME endswith "EnableVirtualizationBasedSecurity,LsaCfgFlags,RequirePlatformSecurityFeatures" OR OBJECTVALUENAME = "EnableVirtualizationBasedSecurity,LsaCfgFlags,RequirePlatformSecurityFeatures" )) OR ( OBJECTNAME contains "\Lsa" AND ( OBJECTNAME endswith "LsaCfgFlags" OR OBJECTVALUENAME = "LsaCfgFlags" )) AND ( ACCESSES = "objectdeleted,deletevalue" )) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Swachchhanda Shrawan Poudel (Nextron Systems)