LoFP / legitimate usage of this key would also trigger this. investigate the driver being added and make sure its intended

Techniques

Sample rules

Driver Added To Disallowed Images In HVCI - Registry

• source: sigma
• technicques:

Description

Detects changes to the “HVCIDisallowedImages” registry value to potentially add a driver to the list, in order to prevent it from loading.

Detection logic

condition: selection
selection:
  TargetObject|contains|all:
  - \Control\CI\
  - \HVCIDisallowedImages