LoFP / this windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, in this type of scenario filter is needed to minimized false positive.

Techniques

• T1112

Sample rules

Windows Disable Change Password Through Registry

• source: splunk
• technicques:
  • T1112

Description

The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path “*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword” with a value of “0x00000001”. This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_disable_change_password_through_registry_filter`