LoFP / it is very unlikely for legitimate activities to disable the vulnerable driver blocklist via command line tools; thus it is recommended to investigate promptly.

Techniques

• t1562
• t1562.001

Sample rules

Vulnerable Driver Blocklist Registry Tampering Via CommandLine

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response

Detection logic

condition: all of selection_*
selection_cli_1:
  CommandLine|contains:
  - 'add '
  - 'New-ItemProperty '
  - 'Set-ItemProperty '
  - 'si '
selection_cli_2:
  CommandLine|contains|all:
  - \Control\CI\Config
  - VulnerableDriverBlocklistEnable
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \reg.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
  - reg.exe