Techniques
Sample rules
Windows Chrome Auto-Update Disabled via Registry
- source: splunk
- technicques:
- T1185
Description
The following analytic detects modifications to Windows registry values that disable Google Chrome auto-updates. Changes to values such as DisableAutoUpdateChecksCheckboxValue = 1, Update{8A69D345-D564-463C-AFF1-A69D9E530F96} = 0, UpdateDefault = 0, and AutoUpdateCheckPeriodMinutes = 0 can prevent Chrome from receiving security updates. This behavior may indicate attempts to bypass update policies, maintain unauthorized extensions, or facilitate malware persistence. Monitoring these registry changes helps identify potential policy violations or malicious activity targeting browser security.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
where Registry.registry_path = "*\\Google\\Update*"
AND
(
Registry.registry_value_name = "DisableAutoUpdateChecksCheckboxValue"
Registry.registry_value_data = 0x00000001
)
OR
(
Registry.registry_value_name IN (
"AutoUpdateCheckPeriodMinutes",
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}",
"UpdateDefault"
)
Registry.registry_value_data = 0x00000000
)
by Registry.action Registry.dest Registry.process_guid Registry.process_id
Registry.registry_hive Registry.registry_path Registry.registry_key_name
Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_chrome_auto_update_disabled_via_registry_filter`