Hypervisor Enforced Code Integrity Disabled

calendar Jul 17, 2024 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Sigma rule (View on GitHub)

 1title: Hypervisor Enforced Code Integrity Disabled
 2id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
 3status: experimental
 4description: |
 5        Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
 6references:
 7    - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
 8    - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
 9author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
10date: 2023/03/14
11modified: 2024/07/05
12tags:
13    - attack.defense_evasion
14    - attack.t1562.001
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|endswith:
21            - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
22            - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
23            - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
24        Details: 'DWORD (0x00000000)'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top