Scripted Diagnostics Turn Off Check Enabled - Registry

 1title: Scripted Diagnostics Turn Off Check Enabled - Registry
 2id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
 3status: experimental
 4description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
 5references:
 6    - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
 7author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 8date: 2022/06/15
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    product: windows
15    category: registry_set
16detection:
17    selection:
18        TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
19        Details: 'DWORD (0x00000001)'
20    condition: selection
21falsepositives:
22    - Administrator actions
23level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Disable Exploit Guard Network Protection on Windows Defender
• Disable PUA Protection on Windows Defender
• Disable Privacy Settings Experience in Registry
• Disable Tamper Protection on Windows Defender
• Disable Windows Defender Functionalities Via Registry Keys