Windows Credential Guard Related Registry Value Deleted - Registry

 1title: Windows Credential Guard Related Registry Value Deleted - Registry
 2id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
 3related:
 4    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
 5      type: similar
 6status: experimental
 7description: |
 8    Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 9    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.    
10references:
11    - https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
12    - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-12-26
15tags:
16    - attack.defense-evasion
17    - attack.t1562.001
18logsource:
19    category: registry_delete
20    product: windows
21detection:
22    selection:
23        TargetObject|endswith:
24            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
25            - '\DeviceGuard\LsaCfgFlags'
26            - '\DeviceGuard\RequirePlatformSecurityFeatures'
27            - '\Lsa\LsaCfgFlags'
28    condition: selection
29falsepositives:
30    - Unlikely
31level: high
32regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml