Techniques
Sample rules
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si '
selection_cli_base:
CommandLine|contains: \DeviceGuard
selection_cli_key:
CommandLine|contains:
- EnableVirtualizationBasedSecurity
- HypervisorEnforcedCodeIntegrity
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \reg.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- reg.exe
Windows Hypervisor Enforced Code Integrity Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the “Enabled” value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|endswith:
- \Control\DeviceGuard\HypervisorEnforcedCodeIntegrity
- \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled
- \Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity