Add two registry modifications

rules/windows/registry/registry_set/registry_set_disable_function_user.yml

@@ -6,9 +6,9 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
     - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
     - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
-author: frack113, Nasreddine Bencherchali
+author: frack113, Nasreddine Bencherchali, CrimpSec
 date: 2022/03/18
-modified: 2023/08/17
+modified: 2023/11/13
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -25,6 +25,8 @@ detection:
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
+            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage' # https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
+            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL' # https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
         Details: 'DWORD (0x00000001)'
     selection_set_0:
         TargetObject|endswith: