Windows Vulnerable Driver Blocklist Disabled
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
Sigma rule (View on GitHub)
1title: Windows Vulnerable Driver Blocklist Disabled
2id: d526c60a-e236-4011-b165-831ffa52ab70
3related:
4 - id: 22154f0e-5132-4a54-aa78-cc62f6def531
5 type: similar
6status: experimental
7description: |
8 Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
9 and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
10 particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
11 This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
12 Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
13references:
14 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
15 - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
16 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
17author: Swachchhanda Shrawan Poudel (Nextron Systems)
18date: 2026-01-26
19tags:
20 - attack.defense-evasion
21 - attack.t1562.001
22logsource:
23 category: registry_set
24 product: windows
25detection:
26 selection:
27 TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
28 Details: 'DWORD (0x00000000)'
29 condition: selection
30falsepositives:
31 - Unlikely and should be investigated immediately.
32level: high
33regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml
References
-
View a list of recommended block rules to block vulnerable non-Microsoft drivers discovered by Microsoft and the security research community.
Read More -
View a list of recommended block rules to block vulnerable non-Microsoft drivers discovered by Microsoft and the security research community.
Read More
Related rules
- Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- Vulnerable Driver Blocklist Registry Tampering Via CommandLine
- Windows Hypervisor Enforced Code Integrity Disabled
- Devcon Execution Disabling VMware VMCI Device
- Microsoft Malware Protection Engine Crash