Detection rules › Sigma

Windows Credential Guard Registry Tampering Via CommandLine

Status
experimental
Severity
high
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1685 Disable or Modify Tools

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Windows Credential Guard Registry Tampering Via CommandLine
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
related:
    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
      type: similar
    - id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
      type: similar
status: experimental
description: |
    Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
    Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
    The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
    Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
references:
    - https://woshub.com/disable-credential-guard-windows/
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli:
        CommandLine|contains:
            # add/modify
            - 'add '
            - 'New-ItemProperty '
            - 'Set-ItemProperty '
            - 'si '  # SetItem Alias
            # delete
            - 'delete '
            - 'del '
            - 'Remove-ItemProperty '
            - 'rp '
    selection_key_base:
        CommandLine|contains:
            - '\Control\DeviceGuard'
            - '\Control\LSA'
            - 'Software\Policies\Microsoft\Windows\DeviceGuard'
    selection_key_specific:
        CommandLine|contains:
            - 'EnableVirtualizationBasedSecurity'
            - 'RequirePlatformSecurityFeatures'
            - 'LsaCfgFlags'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_img

selection_img:
    - Image|endswith:
          - '\powershell.exe'
          - '\pwsh.exe'
          - '\reg.exe'
    - OriginalFileName:
          - 'PowerShell.EXE'
          - 'pwsh.dll'
          - 'reg.exe'

Stage 2: selection_cli

selection_cli:
    CommandLine|contains:
        # add/modify
        - 'add '
        - 'New-ItemProperty '
        - 'Set-ItemProperty '
        - 'si '  # SetItem Alias
        # delete
        - 'delete '
        - 'del '
        - 'Remove-ItemProperty '
        - 'rp '

Stage 3: selection_key_base

selection_key_base:
    CommandLine|contains:
        - '\Control\DeviceGuard'
        - '\Control\LSA'
        - 'Software\Policies\Microsoft\Windows\DeviceGuard'

Stage 4: selection_key_specific

selection_key_specific:
    CommandLine|contains:
        - 'EnableVirtualizationBasedSecurity'
        - 'RequirePlatformSecurityFeatures'
        - 'LsaCfgFlags'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • EnableVirtualizationBasedSecurity corpus 2 (sigma 2)
  • LsaCfgFlags
  • New-ItemProperty corpus 3 (sigma 3)
  • Remove-ItemProperty
  • RequirePlatformSecurityFeatures
  • Set-ItemProperty corpus 3 (sigma 3)
  • Software\Policies\Microsoft\Windows\DeviceGuard
  • \Control\DeviceGuard
  • \Control\LSA corpus 2 (sigma 2)
  • add corpus 11 (sigma 11)
  • del corpus 5 (sigma 5)
  • delete corpus 4 (sigma 4)
  • rp
  • si corpus 5 (sigma 5)
Imageends_with
  • \powershell.exe corpus 186 (sigma 186)
  • \pwsh.exe corpus 172 (sigma 172)
  • \reg.exe corpus 60 (sigma 60)
OriginalFileNameeq
  • PowerShell.EXE corpus 121 (sigma 85, splunk 30, elastic 6)
  • pwsh.dll corpus 112 (sigma 79, splunk 30, elastic 3)
  • reg.exe corpus 42 (sigma 32, splunk 8, elastic 2)