Detectionmediumtest

Scripted Diagnostics Turn Off Check Enabled - Registry

Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christopher Peacock, SCYTHECreated Wed Jun 15Updated Thu Aug 177d995e63-ec83-4aa3-89d5-8a17b5c87c86windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
        Details: 'DWORD (0x00000001)'
    condition: selection

False Positives

Administrator actions

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Rule Metadata

Rule ID

7d995e63-ec83-4aa3-89d5-8a17b5c87c86

Status

test

Level

medium

Type

Detection

Created

Wed Jun 15

Modified

Thu Aug 17

Author

Christopher Peacock, SCYTHE

Path

rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub