Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Windows Credential Guard Registry Tampering Via CommandLine

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Windows Credential Guard Registry Tampering Via CommandLine

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2

title: Windows Credential Guard Registry Tampering Via CommandLine
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
related:
    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
      type: similar
    - id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
      type: similar
status: experimental
description: |
    Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
    Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
    The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
    Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
references:
    - https://woshub.com/disable-credential-guard-windows/
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli:
        CommandLine|contains:
            # add/modify
            - 'add '
            - 'New-ItemProperty '
            - 'Set-ItemProperty '
            - 'si '  # SetItem Alias
            # delete
            - 'delete '
            - 'del '
            - 'Remove-ItemProperty '
            - 'rp '
    selection_key_base:
        CommandLine|contains:
            - '\Control\DeviceGuard'
            - '\Control\LSA'
            - 'Software\Policies\Microsoft\Windows\DeviceGuard'
    selection_key_specific:
        CommandLine|contains:
            - 'EnableVirtualizationBasedSecurity'
            - 'RequirePlatformSecurityFeatures'
            - 'LsaCfgFlags'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml