Scripted Diagnostics Turn Off Check Enabled - Registry
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
Sigma rule (View on GitHub)
1title: Scripted Diagnostics Turn Off Check Enabled - Registry
2id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
3status: experimental
4description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
5references:
6 - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
7author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
8date: 2022/06/15
9modified: 2023/08/17
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 product: windows
15 category: registry_set
16detection:
17 selection:
18 TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
19 Details: 'DWORD (0x00000001)'
20 condition: selection
21falsepositives:
22 - Administrator actions
23level: medium
References
Related rules
- Disable Exploit Guard Network Protection on Windows Defender
- Disable PUA Protection on Windows Defender
- Disable Privacy Settings Experience in Registry
- Disable Tamper Protection on Windows Defender
- Disable Windows Defender Functionalities Via Registry Keys