Skip to content

Hide Navigation Hide TOC

Vulnerable Driver Blocklist Registry Tampering Via CommandLine (22154f0e-5132-4a54-aa78-cc62f6def531)

Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Vulnerable Driver Blocklist Registry Tampering Via CommandLine (22154f0e-5132-4a54-aa78-cc62f6def531) Sigma-Rules 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2