Create registry_set_enabling_turn_off_check.yml

rules/windows/registry/registry_set/registry_set_enabling_turn_off_check.yml

@@ -0,0 +1,24 @@
+title: Scripted Diagnostics Turn Off Check Enabled - Registry
+id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
+description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
+date: 2022/06/15
+author: 'Christopher Peacock @securepeacock', SCYTHE @scythe_io'
+references:
+    - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
+status: experimental
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject: 
+            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Administrator actions
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001