Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine

Rule Info

Name
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
Reference
https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
Date
2026-01-26 00:00:00
Modified
None
Id
6225c53a-a96e-4235-b28f-8d7997cd96eb
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=6225c53a-a96e-4235-b28f-8d7997cd96eb

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
2026-01-27
3d8c650ba
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022