Detection rules › Sigma
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\reg.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll
OriginalFileName: reg.exe
Stage 2: all of selection_cli
or:
CommandLine|contains: 'New-ItemProperty '
CommandLine|contains: 'Set-ItemProperty '
CommandLine|contains: 'add '
CommandLine|contains: 'si '
Stage 3: all of selection_cli_base
CommandLine|contains: '\DeviceGuard'
Stage 4: all of selection_cli_key
or:
CommandLine|contains: 'EnableVirtualizationBasedSecurity'
CommandLine|contains: HypervisorEnforcedCodeIntegrity
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|