Hypervisor Enforced Paging Translation Disabled
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
Sigma rule (View on GitHub)
1title: Hypervisor Enforced Paging Translation Disabled
2id: 7f2954d2-99c2-4d42-a065-ca36740f187b
3status: experimental
4description: |
5 Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
6references:
7 - https://twitter.com/standa_t/status/1808868985678803222
8 - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-07-05
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
20 Details: 'DWORD (0x00000001)'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Contains all the applications developed for the Second part of the 7th Edition of Windows Internals book - AaLl86/WindowsInternals
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility