splApache-2.0from splunk/security_content
Disabling CMD Application
The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableCMD" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/disabling_cmd_application.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" Registry.registry_value_data = "0x00000001") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`