Detection rules › Sigma
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\reg.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll
OriginalFileName: reg.exe
Stage 2: all of selection_cli_1
or:
CommandLine|contains: 'New-ItemProperty '
CommandLine|contains: 'Set-ItemProperty '
CommandLine|contains: 'add '
CommandLine|contains: 'si '
Stage 3: all of selection_cli_2
CommandLine|contains: VulnerableDriverBlocklistEnable
CommandLine|contains: '\Control\CI\Config'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|