Hypervisor Enforced Code Integrity Disabled

calendar Jan 10, 2024 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Sigma rule (View on GitHub)

 1title: Hypervisor Enforced Code Integrity Disabled
 2id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
 3status: experimental
 4description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
 5references:
 6    - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
 7    - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
 8author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
 9date: 2023/03/14
10modified: 2024/01/10
11tags:
12    - attack.defense_evasion
13    - attack.t1562.001
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        EventType: SetValue
20        TargetObject|endswith:
21            - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
22            - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
23            - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
24        Details: 'DWORD (0x00000000)'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top