Windows Defender Application Guard Auditing Disabled via Registry Modification

This brief focuses on a technique where attackers disable Windows Defender Application Guard auditing by modifying specific registry keys. The attack involves setting the registry value AuditApplicationGuard to 0x00000000. This action is performed to impair defenses and evade detection by preventing security monitoring tools from logging malicious activities within the isolated Application Guard environment. The described registry modification is typically performed post-exploitation to facilitate persistence or lateral movement without triggering alerts, and can lead to unauthorized access and data exfiltration. This technique has been observed being discussed in the security research community as a method to bypass security controls.

Attack Chain

1. Initial access to the system is achieved through unspecified means, such as exploiting a vulnerability or using stolen credentials.
2. The attacker elevates privileges to gain administrative access required to modify the registry.
3. The attacker uses a tool like reg.exe, powershell, or custom malware to modify the registry.
4. The attacker navigates to the registry path *\Policies\Microsoft\AppHVSI\.
5. The attacker modifies the AuditApplicationGuard registry value name.
6. The attacker sets the AuditApplicationGuard registry value data to 0x00000000, disabling Application Guard auditing.
7. With auditing disabled, malicious activities within the Application Guard environment go unmonitored.
8. The attacker performs actions such as lateral movement or data exfiltration.

Impact

Disabling Windows Defender Application Guard auditing allows attackers to operate within the isolated environment without generating security logs, making it difficult to detect and respond to their activities. If successful, this attack can lead to unauthorized access, data exfiltration, or further system compromise. The registry modification affects all systems where Windows Defender Application Guard is enabled and configured to use auditing.

Recommendation

• Deploy the Sigma rule Registry Modification to Disable Application Guard Auditing to your SIEM and tune for your environment to detect this specific registry modification.
• Enable Sysmon Event ID 13 to capture registry modifications, as specified in the detection logic.
• Investigate any alerts generated by the Sigma rule, focusing on the process responsible for the registry modification and the user context.
• Monitor for unexpected processes modifying registry keys related to Windows Defender policies.