new: Disable credential guard

regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-26T06:45:49.034405Z"
+        }
+      },
+      "EventRecordID": 23573,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3484,
+          "ThreadID": 3424
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-26 06:45:49.010",
+      "ProcessGuid": "0197231E-2F1D-694E-F304-000000000A00",
+      "ProcessId": 12232,
+      "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Windows PowerShell",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "PowerShell.EXE",
+      "CommandLine": "\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"Set-ItemProperty -Path \"HKLM:Software\\Policies\\Microsoft\\Windows\\DeviceGuard\" -Name \"EnableVirtualizationBasedSecurity\" -Value 0\"",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-DDAE-694E-10B6-120000000000",
+      "LogonId": "0x12b610",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=1736263E02468939F808C0528E8DBB7E,SHA256=1F9FFC2227F8DEA8B771D543C464CF8166C22A39420A5322B5892A640C4B34B6,IMPHASH=68A9FF9C8D0D4655E46E1A7A190A41D2",
+      "ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
+      "ParentProcessId": 10996,
+      "ParentImage": "-",
+      "ParentCommandLine": "-",
+      "ParentUser": "-"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml

@@ -0,0 +1,13 @@
+id: f96a3ce2-ae73-4171-8877-71ccf1da7ce5
+description: N/A
+date: 2025-12-26
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
+      title: Windows Credential Guard Registry Tampering Via CommandLine
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx

regression_data/rules/windows/process_creation/proc_creation_win_susp_credential_guard_registry_deleted/c629cc9b-8ddf-4282-9f10-6934ce3ea1ee.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-26T19:24:05.907054Z"
+        }
+      },
+      "EventRecordID": 18297,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3484,
+          "ThreadID": 3424
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-26 19:24:05.893",
+      "ProcessGuid": "0197231E-E0D5-694E-3803-000000000A00",
+      "ProcessId": 11088,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "\"C:\\WINDOWS\\system32\\reg.exe\" DELETE HKLM\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard /V RequirePlatformSecurityFeatures /F",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-DDAE-694E-10B6-120000000000",
+      "LogonId": "0x12b610",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
+      "ParentProcessGuid": "0197231E-DEC6-694E-8902-000000000A00",
+      "ParentProcessId": 10996,
+      "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "ParentCommandLine": "powershell",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_susp_credential_guard_registry_deleted/info.yml

@@ -0,0 +1,13 @@
+id: 021bceb9-1c20-46af-a6ea-39c2a9583ff8
+description: N/A
+date: 2025-12-26
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: c629cc9b-8ddf-4282-9f10-6934ce3ea1ee
+      title: Windows Credential Guard Related Registry Value Deleted
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_susp_credential_guard_registry_deleted/c629cc9b-8ddf-4282-9f10-6934ce3ea1ee.evtx

regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.json

@@ -0,0 +1,51 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 12,
+      "Version": 2,
+      "Level": 4,
+      "Task": 12,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-26T19:24:05.918776Z"
+        }
+      },
+      "EventRecordID": 18298,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3484,
+          "ThreadID": 3424
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "DeleteValue",
+      "UtcTime": "2025-12-26 19:24:05.918",
+      "ProcessGuid": "0197231E-E0D5-694E-3803-000000000A00",
+      "ProcessId": 11088,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml

@@ -0,0 +1,13 @@
+id: 2e3725ae-2eaa-48a2-9d9b-4a7d55a75974
+description: N/A
+date: 2025-12-26
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
+      title: Windows Credential Guard Related Registry Values Deleted
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx

regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json

@@ -0,0 +1,52 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-26T06:45:50.191274Z"
+        }
+      },
+      "EventRecordID": 23575,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3484,
+          "ThreadID": 3424
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2025-12-26 06:45:50.187",
+      "ProcessGuid": "0197231E-2F1D-694E-F304-000000000A00",
+      "ProcessId": 12232,
+      "Image": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity",
+      "Details": "DWORD (0x00000000)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml

@@ -0,0 +1,13 @@
+id: 7d8d93c3-25b2-4225-9f91-66997f5b446f
+description: N/A
+date: 2025-12-26
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
+      title: Windows Credential Guard Disabled - Registry
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx

rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml

@@ -0,0 +1,52 @@
+title: Windows Credential Guard Registry Tampering Via CommandLine
+id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
+related:
+    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
+      type: similar
+status: experimental
+description: |
+    Detects windows crendential guard related registry tampering via command line tools such as reg.exe or PowerShell.
+    Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
+references:
+    - https://woshub.com/disable-credential-guard-windows/
+    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-12-26
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+              - '\reg.exe'
+        - OriginalFileName:
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+              - 'reg.exe'
+    selection_cli:
+        CommandLine|contains:
+            - 'add '
+            - 'New-ItemProperty '
+            - 'Set-ItemProperty '
+            - 'si '  # SetItem Alias
+    selection_key_base:
+        CommandLine|contains:
+            - 'CurrentControlSet\Control\DeviceGuard'
+            - 'CurrentControlSet\Control\LSA'
+            - 'Software\Policies\Microsoft\Windows\DeviceGuard'
+    selection_key_specific:
+        CommandLine|contains:
+            - 'EnableVirtualizationBasedSecurity'
+            - 'RequirePlatformSecurityFeatures'
+            - 'LsaCfgFlags'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml