heroui logo

Driver Added To Disallowed Images In HVCI - Registry

Sigma Rules

View Source
Summary
This detection rule identifies alterations to the 'HVCIDisallowedImages' registry setting on Windows systems. Specifically, it monitors for changes that may indicate an attempt to add a driver to the disallowed list, which is leveraged to prevent unauthorized drivers from executing. The rule targets the registry path '\Control\CI\' and focuses on the specific 'HVCIDisallowedImages' key within this path. Given its high level status, any modifications to this registry key should be treated with caution, as they could signify an evasion tactic being employed by malicious entities. The rule is particularly significant in the context of Hypervisor Protected Code Integrity (HVCI), a security feature designed to shield the kernel from potentially harmful drivers. Utilizing this detection effectively requires understanding both the normal operational use of this registry key and the potential for abuse within the context of driver management on Windows systems.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
Created: 2023-12-05