Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 478120e

Browse files
swachchhanda000frack113
swachchhanda000
and
frack113
authored
Merge PR #5814 from @swachchhanda000 - Add New Credential Guard Tampering Rules
new: Windows Credential Guard Registry Tampering Via CommandLine new: Windows Credential Guard Related Registry Value Deleted - Registry new: Windows Credential Guard Disabled - Registry --------- Co-authored-by: frack113 <[email protected]>
1 parent c6a32d9 commit 478120e

13 files changed

Lines changed: 335 additions & 0 deletions

File tree

regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx

68 KB
Binary file not shown.

regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
{
2+
"Event": {
3+
"#attributes": {
4+
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
5+
},
6+
"System": {
7+
"Provider": {
8+
"#attributes": {
9+
"Name": "Microsoft-Windows-Sysmon",
10+
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
11+
}
12+
},
13+
"EventID": 1,
14+
"Version": 5,
15+
"Level": 4,
16+
"Task": 1,
17+
"Opcode": 0,
18+
"Keywords": "0x8000000000000000",
19+
"TimeCreated": {
20+
"#attributes": {
21+
"SystemTime": "2025-12-26T06:45:49.034405Z"
22+
}
23+
},
24+
"EventRecordID": 23573,
25+
"Correlation": null,
26+
"Execution": {
27+
"#attributes": {
28+
"ProcessID": 3484,
29+
"ThreadID": 3424
30+
}
31+
},
32+
"Channel": "Microsoft-Windows-Sysmon/Operational",
33+
"Computer": "swachchhanda",
34+
"Security": {
35+
"#attributes": {
36+
"UserID": "S-1-5-18"
37+
}
38+
}
39+
},
40+
"EventData": {
41+
"RuleName": "-",
42+
"UtcTime": "2025-12-26 06:45:49.010",
43+
"ProcessGuid": "0197231E-2F1D-694E-F304-000000000A00",
44+
"ProcessId": 12232,
45+
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
46+
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
47+
"Description": "Windows PowerShell",
48+
"Product": "Microsoft® Windows® Operating System",
49+
"Company": "Microsoft Corporation",
50+
"OriginalFileName": "PowerShell.EXE",
51+
"CommandLine": "\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"Set-ItemProperty -Path \"HKLM:Software\\Policies\\Microsoft\\Windows\\DeviceGuard\" -Name \"EnableVirtualizationBasedSecurity\" -Value 0\"",
52+
"CurrentDirectory": "C:\\Windows\\System32\\",
53+
"User": "swachchhanda\\xodih",
54+
"LogonGuid": "0197231E-DDAE-694E-10B6-120000000000",
55+
"LogonId": "0x12b610",
56+
"TerminalSessionId": 1,
57+
"IntegrityLevel": "High",
58+
"Hashes": "MD5=1736263E02468939F808C0528E8DBB7E,SHA256=1F9FFC2227F8DEA8B771D543C464CF8166C22A39420A5322B5892A640C4B34B6,IMPHASH=68A9FF9C8D0D4655E46E1A7A190A41D2",
59+
"ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
60+
"ParentProcessId": 10996,
61+
"ParentImage": "-",
62+
"ParentCommandLine": "-",
63+
"ParentUser": "-"
64+
}
65+
}
66+
}

regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: f96a3ce2-ae73-4171-8877-71ccf1da7ce5
2+
description: N/A
3+
date: 2025-12-26
4+
author: Swachchhanda Shrawan Poudel (Nextron Systems)
5+
rule_metadata:
6+
- id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
7+
title: Windows Credential Guard Registry Tampering Via CommandLine
8+
regression_tests_info:
9+
- name: Positive Detection Test
10+
type: evtx
11+
provider: Microsoft-Windows-Sysmon
12+
match_count: 1
13+
path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx

regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx

68 KB
Binary file not shown.

regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.json

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
{
2+
"Event": {
3+
"#attributes": {
4+
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
5+
},
6+
"System": {
7+
"Provider": {
8+
"#attributes": {
9+
"Name": "Microsoft-Windows-Sysmon",
10+
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
11+
}
12+
},
13+
"EventID": 12,
14+
"Version": 2,
15+
"Level": 4,
16+
"Task": 12,
17+
"Opcode": 0,
18+
"Keywords": "0x8000000000000000",
19+
"TimeCreated": {
20+
"#attributes": {
21+
"SystemTime": "2025-12-26T19:24:05.918776Z"
22+
}
23+
},
24+
"EventRecordID": 18298,
25+
"Correlation": null,
26+
"Execution": {
27+
"#attributes": {
28+
"ProcessID": 3484,
29+
"ThreadID": 3424
30+
}
31+
},
32+
"Channel": "Microsoft-Windows-Sysmon/Operational",
33+
"Computer": "swachchhanda",
34+
"Security": {
35+
"#attributes": {
36+
"UserID": "S-1-5-18"
37+
}
38+
}
39+
},
40+
"EventData": {
41+
"RuleName": "-",
42+
"EventType": "DeleteValue",
43+
"UtcTime": "2025-12-26 19:24:05.918",
44+
"ProcessGuid": "0197231E-E0D5-694E-3803-000000000A00",
45+
"ProcessId": 11088,
46+
"Image": "C:\\WINDOWS\\system32\\reg.exe",
47+
"TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures",
48+
"User": "swachchhanda\\xodih"
49+
}
50+
}
51+
}

regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: 2e3725ae-2eaa-48a2-9d9b-4a7d55a75974
2+
description: N/A
3+
date: 2025-12-26
4+
author: Swachchhanda Shrawan Poudel (Nextron Systems)
5+
rule_metadata:
6+
- id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
7+
title: Windows Credential Guard Related Registry Value Deleted - Registry
8+
regression_tests_info:
9+
- name: Positive Detection Test
10+
type: evtx
11+
provider: Microsoft-Windows-Sysmon
12+
match_count: 1
13+
path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx

regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx

68 KB
Binary file not shown.

regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"Event": {
3+
"#attributes": {
4+
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
5+
},
6+
"System": {
7+
"Provider": {
8+
"#attributes": {
9+
"Name": "Microsoft-Windows-Sysmon",
10+
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
11+
}
12+
},
13+
"EventID": 13,
14+
"Version": 2,
15+
"Level": 4,
16+
"Task": 13,
17+
"Opcode": 0,
18+
"Keywords": "0x8000000000000000",
19+
"TimeCreated": {
20+
"#attributes": {
21+
"SystemTime": "2025-12-26T06:45:50.191274Z"
22+
}
23+
},
24+
"EventRecordID": 23575,
25+
"Correlation": null,
26+
"Execution": {
27+
"#attributes": {
28+
"ProcessID": 3484,
29+
"ThreadID": 3424
30+
}
31+
},
32+
"Channel": "Microsoft-Windows-Sysmon/Operational",
33+
"Computer": "swachchhanda",
34+
"Security": {
35+
"#attributes": {
36+
"UserID": "S-1-5-18"
37+
}
38+
}
39+
},
40+
"EventData": {
41+
"RuleName": "-",
42+
"EventType": "SetValue",
43+
"UtcTime": "2025-12-26 06:45:50.187",
44+
"ProcessGuid": "0197231E-2F1D-694E-F304-000000000A00",
45+
"ProcessId": 12232,
46+
"Image": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
47+
"TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity",
48+
"Details": "DWORD (0x00000000)",
49+
"User": "swachchhanda\\xodih"
50+
}
51+
}
52+
}

regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: 7d8d93c3-25b2-4225-9f91-66997f5b446f
2+
description: N/A
3+
date: 2025-12-26
4+
author: Swachchhanda Shrawan Poudel (Nextron Systems)
5+
rule_metadata:
6+
- id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
7+
title: Windows Credential Guard Disabled - Registry
8+
regression_tests_info:
9+
- name: Positive Detection Test
10+
type: evtx
11+
provider: Microsoft-Windows-Sysmon
12+
match_count: 1
13+
path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx

rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
title: Windows Credential Guard Registry Tampering Via CommandLine
2+
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
3+
related:
4+
- id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
5+
type: similar
6+
- id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
7+
type: similar
8+
status: experimental
9+
description: |
10+
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
11+
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
12+
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
13+
The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
14+
Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
15+
references:
16+
- https://woshub.com/disable-credential-guard-windows/
17+
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
18+
author: Swachchhanda Shrawan Poudel (Nextron Systems)
19+
date: 2025-12-26
20+
tags:
21+
- attack.defense-evasion
22+
- attack.t1562.001
23+
logsource:
24+
category: process_creation
25+
product: windows
26+
detection:
27+
selection_img:
28+
- Image|endswith:
29+
- '\powershell.exe'
30+
- '\pwsh.exe'
31+
- '\reg.exe'
32+
- OriginalFileName:
33+
- 'PowerShell.EXE'
34+
- 'pwsh.dll'
35+
- 'reg.exe'
36+
selection_cli:
37+
CommandLine|contains:
38+
# add/modify
39+
- 'add '
40+
- 'New-ItemProperty '
41+
- 'Set-ItemProperty '
42+
- 'si ' # SetItem Alias
43+
# delete
44+
- 'delete '
45+
- 'del '
46+
- 'Remove-ItemProperty '
47+
- 'rp '
48+
selection_key_base:
49+
CommandLine|contains:
50+
- '\Control\DeviceGuard'
51+
- '\Control\LSA'
52+
- 'Software\Policies\Microsoft\Windows\DeviceGuard'
53+
selection_key_specific:
54+
CommandLine|contains:
55+
- 'EnableVirtualizationBasedSecurity'
56+
- 'RequirePlatformSecurityFeatures'
57+
- 'LsaCfgFlags'
58+
condition: all of selection_*
59+
falsepositives:
60+
- Unlikely
61+
level: high
62+
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml

0 commit comments

Comments
 (0)