From c0f01c84b39f22812dfd7e0ea9af2c6e728ccc5e Mon Sep 17 00:00:00 2001
From: securepeacock <92804416+securepeacock@users.noreply.github.com>
Date: Wed, 15 Jun 2022 10:49:19 -0400
Subject: [PATCH] Create registry_set_enabling_turn_off_check.yml

---
 .../registry_set_enabling_turn_off_check.yml  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/registry/registry_set/registry_set_enabling_turn_off_check.yml

diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turn_off_check.yml b/rules/windows/registry/registry_set/registry_set_enabling_turn_off_check.yml
new file mode 100644
index 000000000..748e8c552
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_enabling_turn_off_check.yml
@@ -0,0 +1,24 @@
+title: Scripted Diagnostics Turn Off Check Enabled - Registry
+id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
+description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
+date: 2022/06/15
+author: 'Christopher Peacock @securepeacock', SCYTHE @scythe_io'
+references:
+    - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
+status: experimental
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject: 
+            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Administrator actions
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001