splApache-2.0from splunk/security_content
Disabling Windows Local Security Authority Defences via Registry
The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml
| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Lsa\\LsaCfgFlags", "*\\Lsa\\RunAsPPL", "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*") AND ((Registry.action = deleted) OR (Registry.action = modified AND Registry.registry_value_data IN(0x00000000, 0))) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_windows_local_security_authority_defences_via_registry_filter`