Hypervisor Enforced Code Integrity Disabled
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
Sigma rule (View on GitHub)
1title: Hypervisor Enforced Code Integrity Disabled
2id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
3status: experimental
4description: |
5 Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
6references:
7 - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
8 - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
9author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
10date: 2023/03/14
11modified: 2024/07/05
12tags:
13 - attack.defense_evasion
14 - attack.t1562.001
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|endswith:
21 - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
22 - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
23 - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
24 Details: 'DWORD (0x00000000)'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Disable Windows Defender Functionalities Via Registry Keys
- Hypervisor Enforced Paging Translation Disabled
- Windows Defender Threat Detection Service Disabled
- Azure Kubernetes Events Deleted
- Disable-WindowsOptionalFeature Command PowerShell