Vulnerable Driver Blocklist Registry Tampering Via CommandLine

Title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
Status: experimental
Description:Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
References:
  -https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
  -https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-01-26
modified:None
Tags:

• -'attack.defense-evasion'
• -'attack.t1562.001'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection_img:
    - Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\reg.exe'
    - OriginalFileName:
      - 'PowerShell.EXE'
      - 'pwsh.dll'
      - 'reg.exe'
  selection_cli_1:
    CommandLine|contains:
      -'add '
      -'New-ItemProperty '
      -'Set-ItemProperty '
      -'si '

  selection_cli_2:
    CommandLine|contains|all:
      -'\Control\CI\Config'
      -'VulnerableDriverBlocklistEnable'

  condition:all of selection_*
Falsepositives:
  -It is very unlikely for legitimate activities to disable the Vulnerable Driver Blocklist via command line tools; thus it is recommended to investigate promptly.
Level: high