Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Vulnerable Driver Blocklist Registry Tampering Via CommandLine

Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Jan 2622154f0e-5132-4a54-aa78-cc62f6def531windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_1:
        CommandLine|contains:
            - 'add '
            - 'New-ItemProperty '
            - 'Set-ItemProperty '
            - 'si '  # SetItem Alias
    selection_cli_2:
        CommandLine|contains|all:
            - '\Control\CI\Config'
            - 'VulnerableDriverBlocklistEnable'
    condition: all of selection_*
False Positives

It is very unlikely for legitimate activities to disable the Vulnerable Driver Blocklist via command line tools; thus it is recommended to investigate promptly.

References
1
Resolving title…
sophos.com
2
Resolving title…
learn.microsoft.com
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Windows Vulnerable Driver Blocklist Disabled

Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
22154f0e-5132-4a54-aa78-cc62f6def531
Status
experimental
Level
high
Type
Detection
Created
Mon Jan 26
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub