Windows Vulnerable Driver Blocklist Disabled

 1title: Windows Vulnerable Driver Blocklist Disabled
 2id: d526c60a-e236-4011-b165-831ffa52ab70
 3related:
 4    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
 5      type: similar
 6status: experimental
 7description: |
 8    Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
 9    and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
10    particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
11    This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
12    Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.    
13references:
14    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
15    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
16    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
17author: Swachchhanda Shrawan Poudel (Nextron Systems)
18date: 2026-01-26
19tags:
20    - attack.defense-impairment
21    - attack.t1685
22logsource:
23    category: registry_set
24    product: windows
25detection:
26    selection:
27        TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
28        Details: 'DWORD (0x00000000)'
29    condition: selection
30falsepositives:
31    - Unlikely and should be investigated immediately.
32level: high
33regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml