splApache-2.0from splunk/security_content

Windows Chrome Auto-Update Disabled via Registry

The following analytic detects modifications to Windows registry values that disable Google Chrome auto-updates. Changes to values such as DisableAutoUpdateChecksCheckboxValue = 1, Update{8A69D345-D564-463C-AFF1-A69D9E530F96} = 0, UpdateDefault = 0, and AutoUpdateCheckPeriodMinutes = 0 can prevent Chrome from receiving security updates. This behavior may indicate attempts to bypass update policies, maintain unauthorized extensions, or facilitate malware persistence. Monitoring these registry changes helps identify potential policy violations or malicious activity targeting browser security.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry

where Registry.registry_path = "*\\Google\\Update*"
      AND
      (
        Registry.registry_value_name = "DisableAutoUpdateChecksCheckboxValue"
        Registry.registry_value_data = 0x00000001
      )
      OR
      (
        Registry.registry_value_name  IN (
          "AutoUpdateCheckPeriodMinutes",
          "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}",
          "UpdateDefault"
        )
        Registry.registry_value_data = 0x00000000
      )

by Registry.action Registry.dest Registry.process_guid Registry.process_id
   Registry.registry_hive Registry.registry_path Registry.registry_key_name
   Registry.registry_value_data Registry.registry_value_name
   Registry.registry_value_type Registry.status Registry.user Registry.vendor_product

| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_chrome_auto_update_disabled_via_registry_filter`