
Summary
The rule 'CrashControl CrashDump Disabled' aims to identify instances where the CrashDump feature is disabled in the Windows registry, specifically targeting the registry key at 'SYSTEM\CurrentControlSet\Control\CrashControl'. Disabling CrashDump is often associated with malware activity, particularly with threats such as HermeticWiper, which is known to target systems by erasing critical data and rendering recovery options ineffective. The detection mechanism relies on identifying alterations to the specified registry key, where the value is set to DWORD (0x00000000), indicating that crash dumps are turned off. This behavior is considered suspicious and is monitored to prevent potential data loss during critical system failures. The rule has a medium severity level and is intended to help security professionals identify and respond to potential threats related to unauthorized alterations of system settings.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
Created: 2022-02-24