Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Windows Vulnerable Driver Blocklist Disabled

Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Jan 26d526c60a-e236-4011-b165-831ffa52ab70windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
        Details: 'DWORD (0x00000000)'
    condition: selection
False Positives

Unlikely and should be investigated immediately.

References
1
Resolving title…
docs.microsoft.com
2
Resolving title…
sophos.com
3
Resolving title…
learn.microsoft.com
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Vulnerable Driver Blocklist Registry Tampering Via CommandLine

Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
d526c60a-e236-4011-b165-831ffa52ab70
Status
experimental
Level
high
Type
Detection
Created
Mon Jan 26
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub