Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules

new: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine new: Vulnerable Driver Blocklist Registry Tampering Via CommandLine new: Windows Vulnerable Driver Blocklist Disabled --------- Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-01-27 04:38:42 +05:45
parent 092b852af3
commit 3d8c650ba2
14 changed files with 362 additions and 3 deletions
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-23T02:25:20.222853Z"
+        }
+      },
+      "EventRecordID": 90965,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3320,
+          "ThreadID": 4216
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-23 02:25:20.191",
+      "ProcessGuid": "0197231E-FD90-6949-5110-000000000D00",
+      "ProcessId": 10104,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg.exe  add \"HKLM\\System\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\" /v \"Enabled\" /t REG_DWORD /d 0 /f",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-5032-6940-AAE2-070000000000",
+      "LogonId": "0x7e2aa",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
+      "ParentProcessGuid": "0197231E-FB8C-6949-2310-000000000D00",
+      "ParentProcessId": 22176,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: 7c72394d-cb39-4d53-836a-ebc524ee1685
+description: N/A
+date: 2025-12-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
+      title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-23T02:16:46.810517Z"
+        }
+      },
+      "EventRecordID": 90849,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3320,
+          "ThreadID": 4216
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-23 02:16:46.792",
+      "ProcessGuid": "0197231E-FB8E-6949-2610-000000000D00",
+      "ProcessId": 25368,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg  add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config\" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 00000000 /f",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-5032-6940-AAE2-070000000000",
+      "LogonId": "0x7e2aa",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
+      "ParentProcessGuid": "0197231E-FB8C-6949-2310-000000000D00",
+      "ParentProcessId": 22176,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: eca9f987-800a-4b32-92ec-2d50a0a120a0
+description: N/A
+date: 2025-12-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
+      title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/22154f0e-5132-4a54-aa78-cc62f6def531.evtx
@@ -4,7 +4,7 @@ date: 2025-10-24
 author: SigmaHQ Team
 rule_metadata:
    - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
-      title: Hypervisor Enforced Code Integrity Disabled
+      title: Windows Hypervisor Enforced Code Integrity Disabled
 regression_tests_info:
    - name: Positive Detection Test
      type: evtx
@@ -0,0 +1,52 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-23T02:22:32.926365Z"
+        }
+      },
+      "EventRecordID": 90931,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3320,
+          "ThreadID": 4216
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2025-12-23 02:22:32.922",
+      "ProcessGuid": "0197231E-FCE8-6949-4010-000000000D00",
+      "ProcessId": 17728,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\CI\\Config\\VulnerableDriverBlocklistEnable",
+      "Details": "DWORD (0x00000000)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: 329ecd6e-38a9-4bab-a75f-66854af61019
+description: N/A
+date: 2025-12-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: d526c60a-e236-4011-b165-831ffa52ab70
+      title: Windows Vulnerable Driver Blocklist Disabled
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/d526c60a-e236-4011-b165-831ffa52ab70.evtx
@@ -0,0 +1,53 @@
+title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
+id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
+related:
+    - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
+      type: similar
+status: experimental
+description: |
+    Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
+    HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
+    Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
+references:
+    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
+    - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-01-26
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+              - '\reg.exe'
+        - OriginalFileName:
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+              - 'reg.exe'
+    selection_cli:
+        CommandLine|contains:
+            - 'add '
+            - 'New-ItemProperty '
+            - 'Set-ItemProperty '
+            - 'si '  # SetItem Alias
+    selection_cli_base:
+        CommandLine|contains: '\DeviceGuard'
+    selection_cli_key:
+        CommandLine|contains:
+            - 'EnableVirtualizationBasedSecurity'
+            - 'HypervisorEnforcedCodeIntegrity'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Disable Hypervisor-Enforced Code Integrity (HVCI)
+      technique: T1562.001
+      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
@@ -0,0 +1,47 @@
+title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
+id: 22154f0e-5132-4a54-aa78-cc62f6def531
+related:
+    - id: d526c60a-e236-4011-b165-831ffa52ab70
+      type: similar
+status: experimental
+description: |
+    Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.
+    The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.
+    Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors
+    to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
+references:
+    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
+    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-01-26
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+              - '\reg.exe'
+        - OriginalFileName:
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+              - 'reg.exe'
+    selection_cli_1:
+        CommandLine|contains:
+            - 'add '
+            - 'New-ItemProperty '
+            - 'Set-ItemProperty '
+            - 'si '  # SetItem Alias
+    selection_cli_2:
+        CommandLine|contains|all:
+            - '\Control\CI\Config'
+            - 'VulnerableDriverBlocklistEnable'
+    condition: all of selection_*
+falsepositives:
+    - It is very unlikely for legitimate activities to disable the Vulnerable Driver Blocklist via command line tools; thus it is recommended to investigate promptly.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/info.yml
@@ -1,5 +1,8 @@
-title: Hypervisor Enforced Code Integrity Disabled
+title: Windows Hypervisor Enforced Code Integrity Disabled
 id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
+related:
+    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
+      type: similar
 status: test
 description: |
    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
@@ -24,7 +27,7 @@ detection:
        Details: 'DWORD (0x00000000)'
    condition: selection
 falsepositives:
-    - Unknown
+    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
 level: high
 regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
 simulation:
@@ -0,0 +1,33 @@
+title: Windows Vulnerable Driver Blocklist Disabled
+id: d526c60a-e236-4011-b165-831ffa52ab70
+related:
+    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
+      type: similar
+status: experimental
+description: |
+    Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
+    and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
+    particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
+    This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
+    Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
+    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-01-26
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
+        Details: 'DWORD (0x00000000)'
+    condition: selection
+falsepositives:
+    - Unlikely and should be investigated immediately.
+level: high
+regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml