Registry Disable System Restore

Title: Registry Disable System Restore
Status: test
Description:Detects the modification of the registry to disable a system restore on the computer
References:
  -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
Author: frack113
Date: 2022-04-04
modified:2023-08-17
Tags:

• -'attack.impact'
• -'attack.t1490'

Logsource:

• category: registry_set
• product: windows

Detection:
  selection:
    TargetObject|contains:
      -'\Policies\Microsoft\Windows NT\SystemRestore'
      -'\Microsoft\Windows NT\CurrentVersion\SystemRestore'

    TargetObject|endswith:
      -'DisableConfig'
      -'DisableSR'

    Details: 'DWORD (0x00000001)'
  condition:selection
Falsepositives:
  -Unknown
Level: high