Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine

Title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Status: experimental
Description:Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
References:
  -https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
  -https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-01-26
modified:None
Tags:

• -'attack.defense-evasion'
• -'attack.t1562.001'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection_img:
    - Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\reg.exe'
    - OriginalFileName:
      - 'PowerShell.EXE'
      - 'pwsh.dll'
      - 'reg.exe'
  selection_cli:
    CommandLine|contains:
      -'add '
      -'New-ItemProperty '
      -'Set-ItemProperty '
      -'si '

  selection_cli_base:
    CommandLine|contains: '\DeviceGuard'
  selection_cli_key:
    CommandLine|contains:
      -'EnableVirtualizationBasedSecurity'
      -'HypervisorEnforcedCodeIntegrity'

  condition:all of selection_*
Falsepositives:
  -Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
Level: high