Summary
The detection rule 'Windows Disable Memory Crash Dump' identifies attempts to disable the memory crash dump feature on Windows systems, which can be accomplished by setting the registry value 'CrashDumpEnabled' to zero. Monitoring data from the Endpoint.Registry datamodel, particularly changes to the relevant registry key, this analytic is critical since disabling crash dumps significantly impairs forensic capabilities and incident response efforts. This activity may signify malicious intent, potentially aligning with broader attack strategies such as data destruction or system destabilization, akin to behaviors observed in incidents involving HermeticWiper. If this rule triggers an alert, it indicates a crucial escalation in risk, affecting operational continuity and data integrity.
Categories
- Endpoint
- Windows
Data Sources
- Pod
- Windows Registry
ATT&CK Techniques
- T1485
Created: 2024-11-13