Windows Vulnerable Driver Blocklist Disabled
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects when the Windows Vulnerable Driver Blocklist is set to disabled.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Registry Event" AND ( OBJECTNAME contains "\Control\CI\Config" ) AND ( OBJECTNAME contains "VulnerableDriverBlocklistEnable" OR OBJECTVALUENAME = "VulnerableDriverBlocklistEnable" ) AND ( INFORMATION contains "0x00000000" OR CHANGES = "0" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


