Disable Windows App Hotkeys

Disable Windows App Hotkeys

Description

This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like taskmgr.exe and cmd.exe. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.

   Help

Disable Windows App Hotkeys Help

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as CarbonBlack or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

   Search

Open in Search