Detectionhighexperimental

Windows Credential Guard Disabled - Registry

Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Dec 2673921b9c-cafd-4446-b0c6-fdb0ace42bc0windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\Lsa\LsaCfgFlags'
        Details: 'DWORD (0x00000000)'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

woshub.com

Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

SimilarDetectionhigh

Windows Credential Guard Registry Tampering Via CommandLine

Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

73921b9c-cafd-4446-b0c6-fdb0ace42bc0

Status

experimental

Level

high

Type

Detection

Created

Fri Dec 26

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_credential_guard_disabled.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub