Driver Added To Disallowed Images In HVCI - Registry

    Thursday, August 22, 2024 In: Threat Research Print

    Date: 08/22/2024

    Severity: Medium

    Summary

    The "Driver Added To Disallowed Images In HVCI - Registry" refers to a registry entry indicating that a specific driver has been listed as disallowed under Hypervisor-Protected Code Integrity (HVCI) settings. HVCI is a security feature in Windows that uses virtualization-based security to protect critical system code from being tampered with. When a driver is added to the disallowed images list, it means that it has been flagged and prevented from running to ensure system integrity and protect against potential malicious activity.

    Indicators of Compromise (IOC) List

    TargetObject

    '\Control\CI\'

    '\HVCIDisallowedImages'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (Resourcename in ("Sysmon") AND eventtype = "13") AND targetobject in ("\Control\CI", "\HVCIDisallowedImages")

    Detection Query 2

    (Technologygroup = "EDR" ) AND targetobject in ("\Control\CI", "\HVCIDisallowedImages")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.