Sigma rules for CVE-2024-1891
2 rules · scoped to cve · back to CVE-2024-1891
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Activate Suppression of Windows Security Center Notifications
id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63
status: test
description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress'
Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Unknown
level: medium
title: Disable Windows Security Center Notifications
id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
status: test
description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml
simulation:
- type: atomic-red-team
name: Disable Windows Security Center Notifications
technique: T1112
atomic_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e