Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (( PROCESSNAME endswith "\powershell.exe,\pwsh.dll,\powershell_ise,\reg.exe,\pwsh-preview.exe" OR ORIGINALFILENAME = "PowerShell.EXE,pwsh.dll,PowerShell_ISE.EXE,reg.exe" ) AND COMMANDLINE contains "add ,New-ItemProperty ,Set-ItemProperty ,si " AND COMMANDLINE contains "\DeviceGuard" AND COMMANDLINE contains "EnableVirtualizationBasedSecurity,HypervisorEnforcedCodeIntegrity" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


