Detect Windows Update Disabled from Registry
| Id | f1443a87-78d5-40c3-b051-f468f0f2def0 |
| Rulename | Detect Windows Update Disabled from Registry |
| Description | This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1562 |
| Required data connectors | CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml |
| Version | 1.0.0 |
| Arm template | f1443a87-78d5-40c3-b051-f468f0f2def0.json |
// List of Windows Firewall registry keys to monitor
let windowsUpdateRegistryList = dynamic([
'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate',
'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU'
]);
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey has_any (windowsUpdateRegistryList)
| where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
queryPeriod: 1h
entityMappings:
- fieldMappings:
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
- columnName: NTDomain
identifier: NTDomain
entityType: Host
- fieldMappings:
- columnName: Username
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- columnName: NTDomain
identifier: NTDomain
entityType: Account
- fieldMappings:
- columnName: ActingProcessId
identifier: ProcessId
- columnName: ActingProcessCommandLine
identifier: CommandLine
entityType: Process
- fieldMappings:
- columnName: RegHive
identifier: Hive
- columnName: RegKey
identifier: Key
entityType: RegistryKey
- fieldMappings:
- columnName: RegistryValue
identifier: Name
- columnName: RegistryValueData
identifier: Value
- columnName: RegistryValueType
identifier: ValueType
entityType: RegistryValue
id: f1443a87-78d5-40c3-b051-f468f0f2def0
name: Detect Windows Update Disabled from Registry
kind: Scheduled
status: Available
description: |
This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.
tactics:
- DefenseEvasion
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: Windows Update Disabled from Registry on {{HostName}}
alertDescriptionFormat: Windows Update Disabled from Registry {{RegKey}} on {{HostName}} by {{Username}}
query: |
// List of Windows Firewall registry keys to monitor
let windowsUpdateRegistryList = dynamic([
'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate',
'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU'
]);
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey has_any (windowsUpdateRegistryList)
| where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
queryFrequency: 1h
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: singleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftThreatProtection
- dataTypes:
- SentinelOne_CL
connectorId: SentinelOne
- dataTypes:
- CarbonBlackEvents_CL
connectorId: VMwareCarbonBlack
- dataTypes:
- CiscoSecureEndpoint_CL
connectorId: CiscoSecureEndpoint
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOne
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOneAma
tags:
- SchemaVersion: 0.1.2
Schema: _ASim_RegistryEvent
version: 1.0.0
relevantTechniques:
- T1562
severity: Medium
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f1443a87-78d5-40c3-b051-f468f0f2def0')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f1443a87-78d5-40c3-b051-f468f0f2def0')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Windows Update Disabled from Registry {{RegKey}} on {{HostName}} by {{Username}}",
"alertDisplayNameFormat": "Windows Update Disabled from Registry on {{HostName}}"
},
"alertRuleTemplateName": "f1443a87-78d5-40c3-b051-f468f0f2def0",
"customDetails": null,
"description": "This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.\n",
"displayName": "Detect Windows Update Disabled from Registry",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ActingProcessId",
"identifier": "ProcessId"
},
{
"columnName": "ActingProcessCommandLine",
"identifier": "CommandLine"
}
]
},
{
"entityType": "RegistryKey",
"fieldMappings": [
{
"columnName": "RegHive",
"identifier": "Hive"
},
{
"columnName": "RegKey",
"identifier": "Key"
}
]
},
{
"entityType": "RegistryValue",
"fieldMappings": [
{
"columnName": "RegistryValue",
"identifier": "Name"
},
{
"columnName": "RegistryValueData",
"identifier": "Value"
},
{
"columnName": "RegistryValueType",
"identifier": "ValueType"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "singleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml",
"query": "// List of Windows Firewall registry keys to monitor\nlet windowsUpdateRegistryList = dynamic([\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU'\n ]);\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \n| where RegistryKey has_any (windowsUpdateRegistryList) \n| where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'\n| project\n TimeGenerated,\n DvcHostname,\n ActorUsername,\n ActorUsernameType,\n ActingProcessId,\n ActingProcessName,\n ActingProcessCommandLine,\n RegistryKey,\n RegistryValue,\n RegistryValueType,\n RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"tags": [
{
"Schema": "_ASim_RegistryEvent",
"SchemaVersion": "0.1.2"
}
],
"techniques": [
"T1562"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}