detection.wiki

Detection rules › Sigma

Windows Credential Guard Disabled - Registry

Severity
high
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
TargetObject|endswith: '\DeviceGuard\EnableVirtualizationBasedSecurity'
TargetObject|endswith: '\DeviceGuard\LsaCfgFlags'
TargetObject|endswith: '\Lsa\LsaCfgFlags'
Details: 'DWORD (0x00000000)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000000) corpus 38 (sigma 38)
TargetObjectends_with
  • \DeviceGuard\EnableVirtualizationBasedSecurity corpus 2 (sigma 2)
  • \DeviceGuard\LsaCfgFlags corpus 2 (sigma 2)
  • \Lsa\LsaCfgFlags corpus 2 (sigma 2)