Windows Credential Guard Related Registry Value Deleted via Registry
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects attempts to disable Windows Credential Guard by deleting registry values.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Registry Event" AND (( OBJECTNAME contains "\DeviceGuard" AND ( OBJECTNAME endswith "EnableVirtualizationBasedSecurity,LsaCfgFlags,RequirePlatformSecurityFeatures" OR OBJECTVALUENAME = "EnableVirtualizationBasedSecurity,LsaCfgFlags,RequirePlatformSecurityFeatures" )) OR ( OBJECTNAME contains "\Lsa" AND ( OBJECTNAME endswith "LsaCfgFlags" OR OBJECTVALUENAME = "LsaCfgFlags" )) AND ( ACCESSES = "objectdeleted,deletevalue" ))
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


