Windows Credential Guard Registry Tampering Via CommandLine
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
MITRE ATT&CK
Detection Query
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \reg.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- reg.exe
selection_cli:
CommandLine|contains:
- "add "
- "New-ItemProperty "
- "Set-ItemProperty "
- "si "
- "delete "
- "del "
- "Remove-ItemProperty "
- "rp "
selection_key_base:
CommandLine|contains:
- \Control\DeviceGuard
- \Control\LSA
- Software\Policies\Microsoft\Windows\DeviceGuard
selection_key_specific:
CommandLine|contains:
- EnableVirtualizationBasedSecurity
- RequirePlatformSecurityFeatures
- LsaCfgFlags
condition: all of selection_*
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-12-26
Data Sources
Platforms
References
Tags
Raw Content
title: Windows Credential Guard Registry Tampering Via CommandLine
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
related:
- id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
type: similar
- id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
type: similar
status: experimental
description: |
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
references:
- https://woshub.com/disable-credential-guard-windows/
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
# add/modify
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
# delete
- 'delete '
- 'del '
- 'Remove-ItemProperty '
- 'rp '
selection_key_base:
CommandLine|contains:
- '\Control\DeviceGuard'
- '\Control\LSA'
- 'Software\Policies\Microsoft\Windows\DeviceGuard'
selection_key_specific:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'RequirePlatformSecurityFeatures'
- 'LsaCfgFlags'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml