From 25423b7232920612a2c012a6765511adfd1f7370 Mon Sep 17 00:00:00 2001
From: Luca <150611686+CrimpSec@users.noreply.github.com>
Date: Mon, 13 Nov 2023 21:22:13 -0500
Subject: [PATCH] Add two registry modifications

---
 .../registry_set/registry_set_disable_function_user.yml     | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml
index 96d1c9a1eb7..061646058c3 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml
@@ -6,9 +6,9 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
     - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
     - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
-author: frack113, Nasreddine Bencherchali
+author: frack113, Nasreddine Bencherchali, CrimpSec
 date: 2022/03/18
-modified: 2023/08/17
+modified: 2023/11/13
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -25,6 +25,8 @@ detection:
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
+            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage' # https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
+            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL' # https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
         Details: 'DWORD (0x00000001)'
     selection_set_0:
         TargetObject|endswith: