impact/features

disable system features via registry on Windows

rule:
  meta:
    name: disable system features via registry on Windows
    namespace: impact/features
    authors:
      - mehunhoff@google.com
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
    mbc:
      - Defense Evasion::Disable or Evade Security Tools [F0004]
  features:
    - and:
      - match: set registry value
      - or:
        - and:
          - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System/i
          - or:
            - string: /DisableRegistryTools/i
            - string: /DisableTaskMgr/i
            - string: /NoSizeChoice/i
            - string: /NoColorChoice/i
            - string: /NoDispBackGroundPage/i
            - string: /EnableLUA/i
        - and:
          - string: /Software\\Policies\\Microsoft\\Windows\\System/i
          - string: /DisableCMD/i
        - and:
          - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer/i
          - or:
            - string: /NoFind/i
            - string: /NoDesktop/i
            - string: /NoRun/i
            - string: /NoClose/i
            - string: /NoViewContextMenu/i
            - string: /NoPropertiesMyComputer/i
            - string: /HideClock/i
        - and:
          - string: /SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Restrictions/i
          - or:
            - string: /NoBrowserClose/i
            - string: /NoFavorites/i
        - and:
          - string: /SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting/i
          - string: /Disabled/i
        - and:
          - string: /SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU/i
          - string: /NoAutoUpdate/i
        - and:
          - or:
            - string: /SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i
            - string: /SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i
          - string: /SFCDisable/i
        - and:
          - string: /SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate/i
          - string: /DisableWindowsUpdateAccess/i
        - and:
          - string: /SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Maintenance/i
          - string: /MaintenanceDisabled/i
        - and:
          - string: /SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection/i
          - string: /AllowTelemetry/i
        - and:
          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SecurityHealthService/i
          - string: /Start/
        - and:
          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\EventLog/i
          - string: /Start/
        - and:
          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Lsa/i
          - string: /LsaCfgFlags/i
        - and:
          - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\CI\\Config/i
          - string: /VulnerableDriverBlocklistEnable/i

last edited: 2025-03-24 16:38:19