Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine

calendar Jan 26, 2026 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.

Sigma rule (View on GitHub)

 1title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
 2id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
 3related:
 4    - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
 9    HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
10    Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.    
11references:
12    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
13    - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2026-01-26
16tags:
17    - attack.defense-evasion
18    - attack.t1562.001
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith:
25              - '\powershell.exe'
26              - '\pwsh.exe'
27              - '\reg.exe'
28        - OriginalFileName:
29              - 'PowerShell.EXE'
30              - 'pwsh.dll'
31              - 'reg.exe'
32    selection_cli:
33        CommandLine|contains:
34            - 'add '
35            - 'New-ItemProperty '
36            - 'Set-ItemProperty '
37            - 'si '  # SetItem Alias
38    selection_cli_base:
39        CommandLine|contains: '\DeviceGuard'
40    selection_cli_key:
41        CommandLine|contains:
42            - 'EnableVirtualizationBasedSecurity'
43            - 'HypervisorEnforcedCodeIntegrity'
44    condition: all of selection_*
45falsepositives:
46    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
47level: high
48regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
49simulation:
50    - type: atomic-red-team
51      name: Disable Hypervisor-Enforced Code Integrity (HVCI)
52      technique: T1562.001
53      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020

References

Related rules

to-top