Hypervisor Enforced Paging Translation Disabled
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
Sigma rule (View on GitHub)
1title: Hypervisor Enforced Paging Translation Disabled
2id: 7f2954d2-99c2-4d42-a065-ca36740f187b
3status: test
4description: |
5 Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
6references:
7 - https://twitter.com/standa_t/status/1808868985678803222
8 - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-07-05
11tags:
12 - attack.defense-impairment
13 - attack.t1685
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
20 Details: 'DWORD (0x00000001)'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change