This detection rule is designed to identify unauthorized changes to the Vulnerable Driver Blocklist registry key on Windows systems. The Vulnerable Driver Blocklist is crucial for preventing the loading of known vulnerable drivers that may introduce security risks. The rule monitors command-line activity—specifically the utilization of tools such as PowerShell or REG.EXE—targeting operations that may modify the registry settings related to the blocklist. It particularly looks for commands that add or modify properties within the specific registry path that is critical for maintaining system security. Any attempts to disable this feature could suggest malicious intent, particularly in environments where threat actors may try to load questionable drivers to exploit vulnerabilities. Given that legitimate actions rarely involve disabling the blocklist via command-line tools, any detection should prompt immediate investigation. This rule aligns with known tactics in the MITRE ATT&CK framework that explore defense evasion strategies to facilitate malware installation.