{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hotkey-disablement/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["registry-modification","defense-evasion","persistence","hotkey-disablement"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may disable Windows application hotkeys by modifying specific registry entries. This tactic aims to impair an analyst\u0026rsquo;s ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. The technique leverages registry modifications to disable hotkeys for native applications, complicating remediation and potentially enabling persistence. The activity involves setting the \u0026lsquo;Debugger\u0026rsquo; value to \u0026ldquo;HotKey Disabled\u0026rdquo; under specific \u0026lsquo;Image File Execution Options\u0026rsquo; registry keys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to allow registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a subkey for a specific executable (e.g., \u003ccode\u003etaskmgr.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a value named \u003ccode\u003eDebugger\u003c/code\u003e within the subkey.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eDebugger\u003c/code\u003e value to \u003ccode\u003eHotKey Disabled\u003c/code\u003e, effectively disabling hotkeys for the target application.\u003c/li\u003e\n\u003cli\u003eThe analyst attempts to use hotkeys for incident response and finds them non-functional.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and complicates incident response efforts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling Windows application hotkeys can severely hinder incident response capabilities. By rendering tools like Task Manager and Command Prompt inaccessible via hotkeys, analysts are forced to use alternative, slower methods. This can delay critical tasks such as identifying and terminating malicious processes, giving the attacker more time to operate undetected. The impact can affect any organization relying on standard Windows tools for security monitoring and incident handling.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 logging to detect registry modifications as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows App Hotkey Disablement\u003c/code\u003e to your SIEM to identify this specific registry modification.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eRegistry.dest\u003c/code\u003e field to identify affected systems.\u003c/li\u003e\n\u003cli\u003eReview systems identified with disabled hotkeys for other signs of compromise based on the registry modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-disable-windows-app-hotkeys/","summary":"Attackers disable Windows application hotkeys by modifying specific registry entries to hinder incident response and evade detection.","title":"Windows Application Hotkey Disablement via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-disable-windows-app-hotkeys/"}],"language":"en","title":"CraftedSignal Threat Feed — Hotkey-Disablement","version":"https://jsonfeed.org/version/1.1"}