Scripted Diagnostics Turn Off Check Enabled - Registry
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
Sigma rule (View on GitHub)
1title: Scripted Diagnostics Turn Off Check Enabled - Registry
2id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
3status: test
4description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
5references:
6 - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
7author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
8date: 2022-06-15
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 product: windows
15 category: registry_set
16detection:
17 selection:
18 TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
19 Details: 'DWORD (0x00000001)'
20 condition: selection
21falsepositives:
22 - Administrator actions
23level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility