Windows Vulnerable Driver Blocklist Disabled

Rule Info

Name
Windows Vulnerable Driver Blocklist Disabled
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
Reference
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
Date
2026-01-26 00:00:00
Modified
None
Id
d526c60a-e236-4011-b165-831ffa52ab70
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d526c60a-e236-4011-b165-831ffa52ab70

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
2026-01-27
3d8c650ba
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022