CodeIntegrity - Hypervisor Code Integrity Blocked Driver From Loading

Rule Info

Name
CodeIntegrity - Hypervisor Code Integrity Blocked Driver From Loading
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects events that indicate that HVCI blocked a driver from loading. These drivers are the ones referenced by "HVCIDisallowedImages"
Reference
https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf
Date
2023-12-05 00:00:00
Modified
None
Id
cf68c9d6-4cd8-40e1-8d96-adb6092bf5de
Tags
attack.privilege-escalation
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022