Windows Credential Guard Registry Tampering Via CommandLine

calendar Jan 29, 2026 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.

Sigma rule (View on GitHub)

 1title: Windows Credential Guard Registry Tampering Via CommandLine
 2id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
 3related:
 4    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
 5      type: similar
 6    - id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
 7      type: similar
 8status: experimental
 9description: |
10    Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
11    Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
12    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
13    The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
14    Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.    
15references:
16    - https://woshub.com/disable-credential-guard-windows/
17    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
18author: Swachchhanda Shrawan Poudel (Nextron Systems)
19date: 2025-12-26
20tags:
21    - attack.defense-evasion
22    - attack.t1562.001
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:
28        - Image|endswith:
29              - '\powershell.exe'
30              - '\pwsh.exe'
31              - '\reg.exe'
32        - OriginalFileName:
33              - 'PowerShell.EXE'
34              - 'pwsh.dll'
35              - 'reg.exe'
36    selection_cli:
37        CommandLine|contains:
38            # add/modify
39            - 'add '
40            - 'New-ItemProperty '
41            - 'Set-ItemProperty '
42            - 'si '  # SetItem Alias
43            # delete
44            - 'delete '
45            - 'del '
46            - 'Remove-ItemProperty '
47            - 'rp '
48    selection_key_base:
49        CommandLine|contains:
50            - '\Control\DeviceGuard'
51            - '\Control\LSA'
52            - 'Software\Policies\Microsoft\Windows\DeviceGuard'
53    selection_key_specific:
54        CommandLine|contains:
55            - 'EnableVirtualizationBasedSecurity'
56            - 'RequirePlatformSecurityFeatures'
57            - 'LsaCfgFlags'
58    condition: all of selection_*
59falsepositives:
60    - Unlikely
61level: high
62regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml

References

Related rules

to-top