
Summary
This detection rule analyzes changes in the Windows registry to identify when Hypervisor-protected Code Integrity (HVCI) is disabled. HVCI is a security feature that protects critical kernel processes from malicious modifications by enforcing integrity checks on code running in kernel mode. The rule specifically looks for changes to the registry path associated with HVCI settings, which, if altered to a value indicating that it is disabled, could suggest the presence of malicious activity. Disabling HVCI can lead to an increased risk of kernel-level attacks, such as rootkits, that compromise the integrity of the operating system. The rule uses Sysmon EventIDs 12 and 13 for monitoring and alerts on any critical modifications detected in the configurations related to HVCI.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Process
ATT&CK Techniques
- T1562.001
- T1562
Created: 2024-11-13