Windows Vulnerable Driver Blocklist Disabled

Title: Windows Vulnerable Driver Blocklist Disabled
Status: experimental
Description:Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
References:
  -https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
  -https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
  -https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-01-26
modified:None
Tags:

• -'attack.defense-evasion'
• -'attack.t1562.001'

Logsource:

• category: registry_set
• product: windows

Detection:
  selection:
    TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
    Details: 'DWORD (0x00000000)'
  condition:selection
Falsepositives:
  -Unlikely and should be investigated immediately.
Level: high