← Back to Explore
sigmamediumHunting
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Detection Query
selection_set_1:
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL
- SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter
- SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD
Details: DWORD (0x00000001)
selection_set_0:
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
- Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon
- SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled
- SYSTEM\CurrentControlSet\Control\Storage\Write Protection
- SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect
Details: DWORD (0x00000000)
condition: 1 of selection_set_*
Author
frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
Created
2022-03-18
Data Sources
windowsRegistry Set Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
Tags
attack.persistenceattack.defense-evasionattack.t1112
Raw Content
title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_set_1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
- 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
- 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
Details: 'DWORD (0x00000001)'
selection_set_0:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
- 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
- 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
- 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_set_*
falsepositives:
- Legitimate admin script
level: medium