add new rules to detect disabling system features via registry on Windows (#1034)

mike-hunhoff · web-flow · commit d64c2c91ea4b · 2025-03-24T10:38:19.000-06:00
* add new rules to detect disabling features via registry on Windows

* refactor

* refactor

* refactor

* update control registry regex to better handle multiple control sets
diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml
@@ -25,11 +25,11 @@ rule:
       - string: /HARDWARE\\ACPI\\FADT\\VBOX__/i
       - string: /HARDWARE\\ACPI\\RSDT\\VBOX__/i
       - string: /SOFTWARE\\Oracle\\VirtualBox Guest Additions/i
-      - string: /SYSTEM\\ControlSet001\\Services\\VBoxGuest/i
-      - string: /SYSTEM\\ControlSet001\\Services\\VBoxMouse/i
-      - string: /SYSTEM\\ControlSet001\\Services\\VBoxService/i
-      - string: /SYSTEM\\ControlSet001\\Services\\VBoxSF/i
-      - string: /SYSTEM\\ControlSet001\\Services\\VBoxVideo/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\VBoxGuest/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\VBoxMouse/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\VBoxService/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\VBoxSF/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\VBoxVideo/i
       - string: /VBoxMouse\.sys/i
       - string: /VBoxGuest\.sys/i
       - string: /VBoxSF\.sys/i
diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml
@@ -22,9 +22,9 @@ rule:
       - string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)/i
       - string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor/i
       - string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i
-      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\IDE/i
-      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\Disk\\Enum\\/i
-      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\SystemInformation\\SystemManufacturer/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Enum\\IDE/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\Disk\\Enum\\/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\SystemInformation\\SystemManufacturer/i
       - string: /A M I/i
       - string: /Hyper-V/i
       - string: /Kernel-VMDetection-Private/i
diff --git a/nursery/disable-device-guard-features-via-registry-on-windows.yml b/nursery/disable-device-guard-features-via-registry-on-windows.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: disable Device Guard features via registry on Windows
+    namespace: impact/features
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - and:
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\DeviceGuard/i
+          - or:
+            - string: /RequirePlatformSecurityFeatures/i
+            - string: /HVCIMATRequired/i
+            - string: /RequireSignedBoot/i
+            - string: /EnableVirtualizationBasedSecurity/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard/i
+          - string: /LsaCfgFlags/i
diff --git a/nursery/disable-firewall-features-via-registry-on-windows.yml b/nursery/disable-firewall-features-via-registry-on-windows.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: disable firewall features via registry on Windows
+    namespace: impact/features
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - and:
+          - or:
+            - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile/i
+            - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile/i
+          - or:
+            - string: /EnableFirewall/i
+            - string: /DisableNotifications/i
+        - and:
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile/i
+          - string: /DisableNotifications/i
diff --git a/nursery/disable-system-features-via-registry-on-windows.yml b/nursery/disable-system-features-via-registry-on-windows.yml
@@ -15,19 +15,62 @@ rule:
     - and:
       - match: set registry value
       - or:
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr/i
-        - string: /Software\\Policies\\Microsoft\\Windows\\System\\DisableCMD/i
-        - string: /SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoViewContextMenu/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoSizeChoice/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoColorChoice/i
-        - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackGroundPage/i
-        - string: /SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Restrictions\\NoBrowserClose/i
-        - string: /SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Restrictions\\NoFavorites/i
+        - and:
+          - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System/i
+          - or:
+            - string: /DisableRegistryTools/i
+            - string: /DisableTaskMgr/i
+            - string: /NoSizeChoice/i
+            - string: /NoColorChoice/i
+            - string: /NoDispBackGroundPage/i
+            - string: /EnableLUA/i
+        - and:
+          - string: /Software\\Policies\\Microsoft\\Windows\\System/i
+          - string: /DisableCMD/i
+        - and:
+          - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer/i
+          - or:
+            - string: /NoFind/i
+            - string: /NoDesktop/i
+            - string: /NoRun/i
+            - string: /NoClose/i
+            - string: /NoViewContextMenu/i
+            - string: /NoPropertiesMyComputer/i
+            - string: /HideClock/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Restrictions/i
+          - or:
+            - string: /NoBrowserClose/i
+            - string: /NoFavorites/i
+        - and:
+          - string: /SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting/i
+          - string: /Disabled/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU/i
+          - string: /NoAutoUpdate/i
+        - and:
+          - or:
+            - string: /SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i
+            - string: /SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i
+          - string: /SFCDisable/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate/i
+          - string: /DisableWindowsUpdateAccess/i
+        - and:
+          - string: /SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Maintenance/i
+          - string: /MaintenanceDisabled/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection/i
+          - string: /AllowTelemetry/i
+        - and:
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SecurityHealthService/i
+          - string: /Start/
+        - and:
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\EventLog/i
+          - string: /Start/
+        - and:
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Lsa/i
+          - string: /LsaCfgFlags/i
+        - and:
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\CI\\Config/i
+          - string: /VulnerableDriverBlocklistEnable/i
diff --git a/nursery/disable-system-restore-features-via-registry-on-windows.yml b/nursery/disable-system-restore-features-via-registry-on-windows.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: disable System Restore features via registry on Windows
+    namespace: impact/features
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+  features:
+    - and:
+      - match: set registry value
+      - string: /SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore/i
+      - or:
+        - string: /DisableSR/i
+        - string: /DisableConfig/i
diff --git a/nursery/disable-windows-defender-features-via-registry-on-windows.yml b/nursery/disable-windows-defender-features-via-registry-on-windows.yml
@@ -0,0 +1,49 @@
+rule:
+  meta:
+    name: disable Windows Defender features via registry on Windows
+    namespace: impact/features
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection/i
+          - or:
+            - string: /DisableScriptScanning/i
+            - string: /DisableNetworkProtection/i
+            - string: /SubmitSamplesConsent/i
+            - string: /DisableCloudProtection/i
+            - string: /DisableBlockAtFirstSeen/i
+            - string: /DisableBehaviorMonitoring/i
+            - string: /DisableOnAccessProtection/i
+            - string: /DisableScanOnRealtimeEnable/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows Defender/i
+          - or:
+            - string: /DisableTamperProtection/i
+            - string: /DisableSpecialRunningModes/i
+            - string: /DisableRoutinelyTakingAction/i
+            - string: /DisableRealtimeMonitoring/i
+            - string: /DisableIntrusionPreventionSystem/i
+            - string: /DisableIOAVProtection/i
+            - string: /DisableCredentialGuard/i
+            - string: /DisableControlledFolderAccess/i
+            - string: /DisableApplicationGuard/i
+            - string: /PUAProtection/i
+            - string: /ServiceKeepAlive/i
+            - string: /DisableAntiSpyware/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications/i
+          - string: /DisableNotifications/i
+        - and:
+          - string: /SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard/i
+          - string: /EnableExploitProtection/i
diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml
@@ -19,7 +19,7 @@ rule:
         - or:
           - match: query or enumerate registry key
           - match: query or enumerate registry value
-        - string: /System\\(CurrentControlSet|ControlSet001)\\Services/i
-        - string: /System\\(CurrentControlSet|ControlSet001)\\Control/i
-        - string: /System\\(CurrentControlSet|ControlSet001)\\Enum/i
-        - string: /System\\(CurrentControlSet|ControlSet001)\\HardwareProfiles/i
+        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i
+        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control/i
+        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Enum/i
+        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\HardwareProfiles/i
diff --git a/nursery/persist-via-appcertdlls-registry-key.yml b/nursery/persist-via-appcertdlls-registry-key.yml
@@ -14,4 +14,4 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\AppCertDlls/i
+      - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Session Manager\\AppCertDlls/i
diff --git a/nursery/persist-via-autodialdll-registry-key.yml b/nursery/persist-via-autodialdll-registry-key.yml
@@ -15,5 +15,5 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\WinSock2\\Parameters/i
+      - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services\\WinSock2\\Parameters/i
       - string: /AutodialDLL/i
diff --git a/nursery/persist-via-bootverificationprogram-registry-key.yml b/nursery/persist-via-bootverificationprogram-registry-key.yml
@@ -14,5 +14,5 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\BootVerificationProgram/i
+      - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control\\BootVerificationProgram/i
       - string: /ImagePath/i
diff --git a/nursery/persist-via-lsa-registry-key.yml b/nursery/persist-via-lsa-registry-key.yml
@@ -18,11 +18,11 @@ rule:
       - match: set registry value
       - or:
         - and:
-          - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Lsa/i
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Lsa/i
           - or:
             - string: /Authentication Packages/i
             - string: /Notification packages/i
             - string: /Security Packages/i
         - and:
-          - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\LsaExtensionConfig\\LsaSrv/i
+          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\LsaExtensionConfig\\LsaSrv/i
           - string: /Extensions/i
diff --git a/nursery/persist-via-natural-language-registry-key.yml b/nursery/persist-via-natural-language-registry-key.yml
@@ -14,7 +14,7 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\ContentIndex\\Language\\/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\ContentIndex\\Language\\/i
       - or:
         - string: /StemmerDLLPathOverride/i
         - string: /WBDLLPathOverride/i
diff --git a/nursery/persist-via-network-provider-registry-key.yml b/nursery/persist-via-network-provider-registry-key.yml
@@ -14,5 +14,5 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\.*\\NetworkProvider/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\.*\\NetworkProvider/i
       - string: /ProviderPath/i
diff --git a/nursery/persist-via-print-monitors-registry-key.yml b/nursery/persist-via-print-monitors-registry-key.yml
@@ -15,5 +15,5 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Monitors\\/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Print\\Monitors\\/i
       - string: /^Driver$/i
diff --git a/nursery/persist-via-print-processors-registry-key.yml b/nursery/persist-via-print-processors-registry-key.yml
@@ -15,7 +15,7 @@ rule:
     - or:
       - and:
         - match: set registry value
-        - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Environments\\.*\\Print Processors\\/i
+        - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Print\\Environments\\.*\\Print Processors\\/i
         - string: /^Driver$/i
       - and:
         - or:
diff --git a/nursery/persist-via-rdp-startup-programs-registry-key.yml b/nursery/persist-via-rdp-startup-programs-registry-key.yml
@@ -15,5 +15,5 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\Wds\\rdpwd/i
+      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Terminal Server\\Wds\\rdpwd/i
       - string: /^StartupPrograms$/i
diff --git a/nursery/persist-via-timeproviders-registry-key.yml b/nursery/persist-via-timeproviders-registry-key.yml
@@ -15,5 +15,5 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\W32Time\\TimeProviders\\/i
+      - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services\\W32Time\\TimeProviders\\/i
       - string: /^DllName$/i
diff --git a/nursery/persist-via-ts-initialprogram-registry-key.yml b/nursery/persist-via-ts-initialprogram-registry-key.yml
@@ -16,5 +16,5 @@ rule:
       - match: set registry value
       - or:
         - string: /\\Policies\\Microsoft\\Windows NT\\Terminal Services/i
-        - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\WinStations\\RDP-Tcp/i
+        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Terminal Server\\WinStations\\RDP-Tcp/i
       - string: /^InitialProgram$/i
diff --git a/persistence/registry/run/persist-via-run-registry-key.yml b/persistence/registry/run/persist-via-run-registry-key.yml
@@ -29,4 +29,4 @@ rule:
         - string: /Software\\Microsoft\\Windows\\CurrentVersion\\RunServices/i
         - string: /Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run/i
         - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load/i
-        - string: /System\\CurrentControlSet\\Control\\Session Manager\\BootExecute/i
+        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Session Manager\\BootExecute/i
diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml
@@ -39,4 +39,4 @@ rule:
           - string: /New-Service /i
       - and:
         - match: set registry value
-        - string: /System\\(CurrentControlSet|ControlSet001)\\Services/i
+        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i
