Vulnerable Driver Blocklist Registry Tampering Via CommandLine

Rule Info

Name
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
Reference
https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
Date
2026-01-26 00:00:00
Modified
None
Id
22154f0e-5132-4a54-aa78-cc62f6def531
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=22154f0e-5132-4a54-aa78-cc62f6def531

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
2026-01-27
3d8c650ba
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022