Disabling Services via Registry

Hunt Hypothesis

Adversaries may disable security services by modifying registry keys to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromises and disrupt adversary operations early.

KQL Query

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all(@'"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f')
  and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 
  'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource')

Analytic Rule Definition

id: 3c6038db-c915-42f3-b20e-22ac7ebb1182
name: Disabling Services via Registry
description: |
  Search for processes modifying the registry to disable security features.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Defense Evasion
query: |   
  DeviceProcessEvents
  | where InitiatingProcessCommandLine has_all(@'"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f')
    and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 
    'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Defense Evasion

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Disabling Services via Registry.yaml)

False Positive Guidance

Scenario: A system administrator is using Group Policy Management Console (GPMC) to disable a non-essential service for performance optimization.
Filter/Exclusion: Check for processes associated with gpmc.msc or gpupdate.exe and exclude registry modifications made by these processes.
Scenario: A scheduled task (e.g., Task Scheduler) is configured to run a script that temporarily disables a service during maintenance windows.
Filter/Exclusion: Filter events where the process name matches schtasks.exe or the task is associated with a known maintenance schedule.
Scenario: A third-party application (e.g., Microsoft System Center Configuration Manager) performs registry modifications as part of its configuration management process.
Filter/Exclusion: Exclude registry changes made by processes associated with ConfigMgr or SCCM services (e.g., ccmexec.exe).
Scenario: An IT automation tool (e.g., Ansible, Puppet, or Chef) is used to apply configuration changes across multiple systems, including registry modifications.
Filter/Exclusion: Filter events where the process name matches the automation tool’s agent (e.g., ansible.exe, puppet.exe, or chef-client.exe).
Scenario: A Windows Update or Windows Defender scheduled scan temporarily disables certain services to perform system maintenance.
Filter/Exclusion: Exclude registry modifications made by wuauserv.exe or MsMpEng.exe during scheduled update or scan events.