Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Windows Credential Guard Related Registry Value Deleted - Registry

Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Dec 26d645ef86-2396-48a1-a2b6-b629ca3f57ffwindows
Log Source
WindowsRegistry Delete
ProductWindows← raw: windows
CategoryRegistry Delete← raw: registry_delete
Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\DeviceGuard\RequirePlatformSecurityFeatures'
            - '\Lsa\LsaCfgFlags'
    condition: selection
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Windows Credential Guard Registry Tampering Via CommandLine

Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
d645ef86-2396-48a1-a2b6-b629ca3f57ff
Status
experimental
Level
high
Type
Detection
Created
Fri Dec 26
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/registry/registry_delete/registry_delete_disable_credential_guard.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub