heroui logo

Disable Windows App Hotkeys

Splunk Security Content

View Source
Summary
This detection rule focuses on identifying suspicious registry modifications that disable Windows hotkeys for native applications. By leveraging the Endpoint.Registry data model, it specifically monitors registry paths and values associated with this behavior in the Windows operating system. The rule looks for changes related to the 'Image File Execution Options' and the 'Debugger' registry value, which indicates attempts to impair tools essential for incident response, such as Task Manager and Command Prompt. Such modifications can indicate malicious activity, allowing attackers to evade detection and maintain persistence on compromised systems. The detection is implemented by querying Sysmon Event IDs 12 and 13, which log registry changes, enabling proactive monitoring for threats. If these changes are confirmed malicious, they could severely complicate remediation efforts.
Categories
  • Endpoint
  • Windows
Data Sources
  • User Account
  • Windows Registry
  • Process
ATT&CK Techniques
  • T1562.001
  • T1562
  • T1112
Created: 2024-12-08