Detection rules › Kusto Query Language

Disabling Security Services via Registry

Source: upstream

This query checks for processes modifying the registry to disable security features. This is a common technique used by threat actors for defence evasion.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562` Impair Defenses

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.
Defender-DeviceProcessEvents	9001000	Process activity (any)

Stages and Predicates

Stage 1: `source`

DeviceProcessEvents

Stage 2: `where`

and
  InitiatingProcessCommandLine match ["DisableRealtimeMonitoring", "UseTPMKey", "UseTPMKeyPIN", "UseAdvancedStartup", "EnableBDEWithNoTPM", "RecoveryKeyMessageSource"]
  InitiatingProcessCommandLine match ["\"reg\"", "add", "\"HKLM\\SOFTWARE\\Policies\\", "/v", "/t", "REG_DWORD", "/d", "/f"]

Stage 3: `extend`

Stage 4: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`InitiatingProcessCommandLine`	match	`"HKLM\SOFTWARE\Policies\` `"reg"` `/d` `/f` corpus 2 (sigma 2) `/t` `/v` corpus 4 (sigma 4) `DisableRealtimeMonitoring` `EnableBDEWithNoTPM` `REG_DWORD` `RecoveryKeyMessageSource` `UseAdvancedStartup` `UseTPMKey` `UseTPMKeyPIN` `add` corpus 16 (sigma 16)

Disabling Security Services via Registry

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: extend

Stage 4: extend

Indicators

Stage 1: `source`

Stage 2: `where`

Stage 3: `extend`

Stage 4: `extend`