Windows Credential Guard Disabled - Registry

calendar Jan 29, 2026 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

Sigma rule (View on GitHub)

 1title: Windows Credential Guard Disabled - Registry
 2id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
 3related:
 4    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
 5      type: similar
 6status: experimental
 7description: |
 8    Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 9    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.    
10references:
11    - https://woshub.com/disable-credential-guard-windows/
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-12-26
14tags:
15    - attack.defense-evasion
16    - attack.t1562.001
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|endswith:
23            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
24            - '\DeviceGuard\LsaCfgFlags'
25            - '\Lsa\LsaCfgFlags'
26        Details: 'DWORD (0x00000000)'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: high
31regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml

References

Related rules

to-top