Hypervisor Enforced Code Integrity Disabled
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
Sigma rule (View on GitHub)
1title: Hypervisor Enforced Code Integrity Disabled
2id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
3status: experimental
4description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
5references:
6 - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
7 - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
8author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
9date: 2023/03/14
10modified: 2024/01/10
11tags:
12 - attack.defense_evasion
13 - attack.t1562.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 EventType: SetValue
20 TargetObject|endswith:
21 - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
22 - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
23 - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
24 Details: 'DWORD (0x00000000)'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Powershell Defender Disable Scan Feature
- Tamper Windows Defender - PSClassic
- Tamper Windows Defender - ScriptBlockLogging
- Folder Removed From Exploit Guard ProtectedFolders List - Registry
- PUA - CleanWipe Execution