Hypervisor Enforced Paging Translation Disabled
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
Sigma rule (View on GitHub)
1title: Hypervisor Enforced Paging Translation Disabled
2id: 7f2954d2-99c2-4d42-a065-ca36740f187b
3status: test
4description: |
5 Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
6references:
7 - https://twitter.com/standa_t/status/1808868985678803222
8 - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-07-05
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
20 Details: 'DWORD (0x00000001)'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Contains all the applications developed for the Second part of the 7th Edition of Windows Internals book - AaLl86/WindowsInternals
Read More
Related rules
- Hypervisor Enforced Code Integrity Disabled
- Obfuscated PowerShell OneLiner Execution
- Custom Cobalt Strike Command Execution
- Deleting Windows Defender scheduled tasks
- Enabling restricted admin mode