heroui logo

Windows Modify Registry No Auto Update

Splunk Security Content

View Source
Summary
This analytic rule identifies suspicious modifications to the Windows registry aimed at disabling automatic updates, specifically monitoring changes to the registry path `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate`. It detects when the value is set to `0x00000001`, which is a common tactic used by adversaries, including malware like RedLine Stealer, to prevent systems from receiving critical security updates. Such modifications leave systems vulnerable to further exploitation, including zero-day attacks, as they may bypass integral security measures. By monitoring Sysmon EventIDs 12 and 13, the rule provides visibility into potentially malicious activity and allows security teams to respond promptly if registry changes are identified. False positives may arise from legitimate administrative actions, hence analysts should corroborate findings with contextual details.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Process
ATT&CK Techniques
  • T1112
Created: 2024-11-13