Windows Credential Guard Related Registry Value Deleted - Registry

Hunt Hypothesis

Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can acc

Detection Rule

Sigma (Original)

title: Windows Credential Guard Related Registry Value Deleted - Registry
id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
related:
    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
    - https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
    - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\DeviceGuard\RequirePlatformSecurityFeatures'
            - '\Lsa\LsaCfgFlags'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\DeviceGuard\\EnableVirtualizationBasedSecurity" or RegistryKey endswith "\\DeviceGuard\\LsaCfgFlags" or RegistryKey endswith "\\DeviceGuard\\RequirePlatformSecurityFeatures" or RegistryKey endswith "\\Lsa\\LsaCfgFlags"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\DeviceGuard\\EnableVirtualizationBasedSecurity" or RegistryKey endswith "\\DeviceGuard\\LsaCfgFlags" or RegistryKey endswith "\\DeviceGuard\\RequirePlatformSecurityFeatures" or RegistryKey endswith "\\Lsa\\LsaCfgFlags"

Required Data Sources

False Positive Guidance

• Unlikely

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1562.001 — Disable or Modify Tools

  Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or service

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

• T1562.001 — Disable or Modify Tools

References

• https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
• https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
• SigmaHQ Rule