new: Vulnerable Driver Blocklist and HVCI Disable via Registry

regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_hvci/6225c53a-a96e-4235-b28f-8d7997cd96eb.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-23T02:25:20.222853Z"
+        }
+      },
+      "EventRecordID": 90965,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3320,
+          "ThreadID": 4216
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-23 02:25:20.191",
+      "ProcessGuid": "0197231E-FD90-6949-5110-000000000D00",
+      "ProcessId": 10104,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg.exe  add \"HKLM\\System\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\" /v \"Enabled\" /t REG_DWORD /d 0 /f",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-5032-6940-AAE2-070000000000",
+      "LogonId": "0x7e2aa",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
+      "ParentProcessGuid": "0197231E-FB8C-6949-2310-000000000D00",
+      "ParentProcessId": 22176,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_hvci/info.yml

@@ -0,0 +1,13 @@
+id: 7c72394d-cb39-4d53-836a-ebc524ee1685
+description: N/A
+date: 2025-12-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
+      title: Hypervisor-protected Code Integrity (HVCI) Disabled via REG.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_hvci/6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx

regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_vulnerable_driver_blocklist/22154f0e-5132-4a54-aa78-cc62f6def531.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-23T02:16:46.810517Z"
+        }
+      },
+      "EventRecordID": 90849,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3320,
+          "ThreadID": 4216
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-23 02:16:46.792",
+      "ProcessGuid": "0197231E-FB8E-6949-2610-000000000D00",
+      "ProcessId": 25368,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg  add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config\" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 00000000 /f",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-5032-6940-AAE2-070000000000",
+      "LogonId": "0x7e2aa",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
+      "ParentProcessGuid": "0197231E-FB8C-6949-2310-000000000D00",
+      "ParentProcessId": 22176,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_vulnerable_driver_blocklist/info.yml

@@ -0,0 +1,13 @@
+id: eca9f987-800a-4b32-92ec-2d50a0a120a0
+description: N/A
+date: 2025-12-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
+      title: Vulnerable Driver Blocklist Disabled via REG.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_vulnerable_driver_blocklist/22154f0e-5132-4a54-aa78-cc62f6def531.evtx

regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/d526c60a-e236-4011-b165-831ffa52ab70.json

@@ -0,0 +1,52 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-23T02:22:32.926365Z"
+        }
+      },
+      "EventRecordID": 90931,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3320,
+          "ThreadID": 4216
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2025-12-23 02:22:32.922",
+      "ProcessGuid": "0197231E-FCE8-6949-4010-000000000D00",
+      "ProcessId": 17728,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\CI\\Config\\VulnerableDriverBlocklistEnable",
+      "Details": "DWORD (0x00000000)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml

@@ -0,0 +1,13 @@
+id: 329ecd6e-38a9-4bab-a75f-66854af61019
+description: N/A
+date: 2025-12-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: d526c60a-e236-4011-b165-831ffa52ab70
+      title: Vulnerable Driver Blocklist Disabled
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/d526c60a-e236-4011-b165-831ffa52ab70.evtx

rules/windows/process_creation/proc_creation_win_reg_disable_hvci.yml

@@ -0,0 +1,53 @@
+title: Hypervisor-protected Code Integrity (HVCI) Disabled via REG.EXE
+id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
+related:
+    - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
+      type: similar
+status: experimental
+description: |
+    Detects the disabling of Hypervisor-protected Code Integrity (HVCI) via the use of the REG.EXE command-line utility.
+    HVCI helps protect the kernel and system processes from tampering by malicious code.
+    Disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or EDR bypass techniques.
+references:
+    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
+    - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-12-22
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_cli_key:
+        - CommandLine|contains|all:
+              - '\Control\DeviceGuard'
+              - 'HypervisorEnforcedCodeIntegrity'
+        - CommandLine|contains|all:
+              - '\Control\DeviceGuard'
+              - 'EnableVirtualizationBasedSecurity'
+        - CommandLine|contains|all:
+              - '\Microsoft\Windows\DeviceGuard'
+              - 'HypervisorEnforcedCodeIntegrity'
+    selection_cli_value:
+        CommandLine|contains|all:
+            - 'add'
+            - '0'
+    filter_main_enable:
+        CommandLine|contains:
+            - '0x000000001'  # Legitimate enabling of HVCI
+            - '0x1'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_hvci/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Disable Hypervisor-Enforced Code Integrity (HVCI)
+      technique: T1562.001
+      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020

rules/windows/process_creation/proc_creation_win_reg_disable_vulnerable_driver_blocklist.yml

@@ -0,0 +1,40 @@
+title: Vulnerable Driver Blocklist Disabled via REG.EXE
+id: 22154f0e-5132-4a54-aa78-cc62f6def531
+related:
+    - id: d526c60a-e236-4011-b165-831ffa52ab70
+      type: similar
+status: experimental
+description: |
+    Detects attempts to disable Windows vulnerable driver blocklist via registry modification using reg.exe.
+    The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.
+    Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors
+    to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
+references:
+    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-12-22
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - '\SYSTEM\CurrentControlSet'
+            - '\Control\CI\Config'
+            - 'VulnerableDriverBlocklistEnable'
+            - '0'
+    filter_main_enable:
+        CommandLine|contains:
+            - '0x000000001'  # Legitimate enabling of Vulnerable Driver Blocklist
+            - '0x1'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_disable_vulnerable_driver_blocklist/info.yml

rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml

@@ -1,5 +1,8 @@
 title: Hypervisor Enforced Code Integrity Disabled
 id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
+related:
+    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
+      type: similar
 status: test
 description: |
     Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
@@ -24,7 +27,7 @@ detection:
         Details: 'DWORD (0x00000000)'
     condition: selection
 falsepositives:
-    - Unknown
+    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
 level: high
 regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
 simulation:

rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml

@@ -0,0 +1,32 @@
+title: Vulnerable Driver Blocklist Disabled
+id: d526c60a-e236-4011-b165-831ffa52ab70
+related:
+    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
+      type: similar
+status: experimental
+description: |
+    Detects when the Windows Vulnerable Driver Blocklist is disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
+    and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
+    particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
+    This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-12-22
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\SYSTEM\CurrentControlSet'
+        TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
+        Details: 'DWORD (0x00000000)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml