Windows Credential Guard Registry Tampering Via CommandLine

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.001` Impair Defenses: Disable or Modify Tools

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\reg.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll
OriginalFileName: reg.exe

Stage 2: `all of selection_cli`

or:
CommandLine|contains: 'New-ItemProperty '
CommandLine|contains: 'Remove-ItemProperty '
CommandLine|contains: 'Set-ItemProperty '
CommandLine|contains: 'add '
CommandLine|contains: 'del '
CommandLine|contains: 'delete '
CommandLine|contains: 'rp '
CommandLine|contains: 'si '

Stage 3: `all of selection_key_base`

or:
CommandLine|contains: 'Software\Policies\Microsoft\Windows\DeviceGuard'
CommandLine|contains: '\Control\DeviceGuard'
CommandLine|contains: '\Control\LSA'

Stage 4: `all of selection_key_specific`

or:
CommandLine|contains: 'EnableVirtualizationBasedSecurity'
CommandLine|contains: LsaCfgFlags
CommandLine|contains: RequirePlatformSecurityFeatures

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`EnableVirtualizationBasedSecurity` corpus 2 (sigma 2) `LsaCfgFlags` `New-ItemProperty` corpus 3 (sigma 3) `Remove-ItemProperty` `RequirePlatformSecurityFeatures` `Set-ItemProperty` corpus 3 (sigma 3) `Software\Policies\Microsoft\Windows\DeviceGuard` `\Control\DeviceGuard` `\Control\LSA` `add` corpus 9 (sigma 9) `del` corpus 5 (sigma 5) `delete` corpus 4 (sigma 4) `rp` `si` corpus 4 (sigma 4)
`Image`	ends_with	`\powershell.exe` corpus 143 (sigma 143) `\pwsh.exe` corpus 140 (sigma 140) `\reg.exe` corpus 46 (sigma 46)
`OriginalFileName`	eq	`PowerShell.EXE` corpus 64 (sigma 60, splunk 4) `pwsh.dll` corpus 72 (sigma 68, splunk 4) `reg.exe` corpus 29 (sigma 29)

Windows Credential Guard Registry Tampering Via CommandLine

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_img

Stage 2: all of selection_cli

Stage 3: all of selection_key_base

Stage 4: all of selection_key_specific

Indicators

Stage 1: `all of selection_img`

Stage 2: `all of selection_cli`

Stage 3: `all of selection_key_base`

Stage 4: `all of selection_key_specific`