Detectionmediumtest
Registry Explorer Policy Modification
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection_set_1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu'
Details: 'DWORD (0x00000001)'
condition: selection_set_1False Positives
Legitimate admin script
References
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
1c3121ed-041b-4d97-a075-07f54f20fb4a
Status
test
Level
medium
Type
Detection
Created
Fri Mar 18
Modified
Thu Aug 17
Author
Path
rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112