Detection rules › Sigma
Windows Credential Guard Related Registry Value Deleted - Registry
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 14 | RegistryEvent (Key and Value Rename) |
Stages and Predicates
Stage 1: selection
or:
TargetObject|endswith: '\DeviceGuard\EnableVirtualizationBasedSecurity'
TargetObject|endswith: '\DeviceGuard\LsaCfgFlags'
TargetObject|endswith: '\DeviceGuard\RequirePlatformSecurityFeatures'
TargetObject|endswith: '\Lsa\LsaCfgFlags'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetObject | ends_with |
|