Skip to content

Hide Navigation Hide TOC

Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine (6225c53a-a96e-4235-b28f-8d7997cd96eb)

Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine (6225c53a-a96e-4235-b28f-8d7997cd96eb) Sigma-Rules 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2