splApache-2.0from splunk/security_content
Windows Disable Notification Center
The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableNotificationCenter" registry value set to "0x00000001." This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_disable_notification_center.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (
Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data = "0x00000001"
)
BY Registry.action Registry.dest Registry.process_guid
Registry.process_id Registry.registry_hive Registry.registry_path
Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status Registry.user
Registry.vendor_product
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_disable_notification_center_filter`