Vulnerable Driver Blocklist Registry Tampering Via CommandLine

calendar Jan 26, 2026 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response

Sigma rule (View on GitHub)

 1title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
 2id: 22154f0e-5132-4a54-aa78-cc62f6def531
 3related:
 4    - id: d526c60a-e236-4011-b165-831ffa52ab70
 5      type: similar
 6status: experimental
 7description: |
 8    Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.
 9    The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.
10    Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors
11    to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response    
12references:
13    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
14    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2026-01-26
17tags:
18    - attack.defense-evasion
19    - attack.t1562.001
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith:
26              - '\powershell.exe'
27              - '\pwsh.exe'
28              - '\reg.exe'
29        - OriginalFileName:
30              - 'PowerShell.EXE'
31              - 'pwsh.dll'
32              - 'reg.exe'
33    selection_cli_1:
34        CommandLine|contains:
35            - 'add '
36            - 'New-ItemProperty '
37            - 'Set-ItemProperty '
38            - 'si '  # SetItem Alias
39    selection_cli_2:
40        CommandLine|contains|all:
41            - '\Control\CI\Config'
42            - 'VulnerableDriverBlocklistEnable'
43    condition: all of selection_*
44falsepositives:
45    - It is very unlikely for legitimate activities to disable the Vulnerable Driver Blocklist via command line tools; thus it is recommended to investigate promptly.
46level: high
47regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/info.yml

References

Related rules

to-top