Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Disabling Security Services via Registry

Disabling Security Services via Registry

Back
Id32b29155-3fd3-4a9e-a0ca-a67e2593b60b
RulenameDisabling Security Services via Registry
DescriptionThis query checks for processes modifying the registry to disable security features. This is a common technique used by threat actors for defence evasion.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DEV-0270/DisableSecurityServiceViaRegistry.yaml
Version1.0.0
Arm template32b29155-3fd3-4a9e-a0ca-a67e2593b60b.json
Deploy To Azure
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all(@'"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f')
  and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 
  'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

triggerThreshold: 0
relevantTechniques:
- T1562
query: |
  DeviceProcessEvents
  | where InitiatingProcessCommandLine has_all(@'"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f')
    and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 
    'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource')
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountUpn
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Process
  fieldMappings:
  - identifier: ProcessId
    columnName: ProcessId
  - identifier: CommandLine
    columnName: ProcessCommandLine
name: Disabling Security Services via Registry
version: 1.0.0
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
description: |
    This query checks for processes modifying the registry to disable security features. This is a common technique used by threat actors for defence evasion.
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DEV-0270/DisableSecurityServiceViaRegistry.yaml
kind: Scheduled
queryFrequency: 1h
tactics:
- DefenseEvasion
status: Available
id: 32b29155-3fd3-4a9e-a0ca-a67e2593b60b