EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Windows Credential Guard Disabled - Registry

Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

MITRE ATT&CK

T1685

Detection Query

selection:
  TargetObject|endswith:
    - \DeviceGuard\EnableVirtualizationBasedSecurity
    - \DeviceGuard\LsaCfgFlags
    - \Lsa\LsaCfgFlags
  Details: DWORD (0x00000000)
condition: selection

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-12-26

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.defense-impairmentattack.t1685
Raw Content
title: Windows Credential Guard Disabled - Registry
id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
related:
    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
    - https://woshub.com/disable-credential-guard-windows/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\Lsa\LsaCfgFlags'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml