Skip to content
Threat Feed
high advisory

Windows HVCI Disabled via Registry Modification

Detection of Hypervisor-protected Code Integrity (HVCI) being disabled by modifying specific Windows registry keys, potentially allowing the execution of malicious kernel-mode code.

This threat brief focuses on the disabling of Hypervisor-protected Code Integrity (HVCI) on Windows systems. HVCI is a critical security feature that protects the kernel and system processes from tampering by malicious code. Attackers may disable HVCI to bypass security controls and execute unsigned kernel-mode code, leading to kernel-level rootkits or other severe security breaches. This activity is detected by monitoring changes to specific Windows registry keys related to HVCI configuration using Sysmon Event ID 13. The activity is associated with the BlackLotus Campaign, which exploits CVE-2022-21894.

Attack Chain

  1. The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker escalates privileges to gain administrative access, required to modify system-level registry settings.
  3. The attacker uses a script or executable to modify the registry.
  4. The script modifies the registry key HKLM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled to a value of 0x00000000.
  5. The system restarts, and HVCI is disabled.
  6. The attacker deploys and executes unsigned kernel-mode code or a rootkit.
  7. The malicious code gains persistent control of the system at the kernel level.
  8. The attacker performs further malicious activities, such as data theft or system compromise.

Impact

Successful disabling of HVCI can lead to a complete compromise of the affected system. Attackers can install kernel-level rootkits, bypass security controls, and execute arbitrary code in the kernel. This can lead to data theft, system instability, and further propagation of malware within the network. The BlackLotus campaign exploits this type of vulnerability to establish persistent, low-level control over compromised systems.

Recommendation

  • Enable Sysmon Event ID 13 logging to capture registry modification events.
  • Deploy the Sigma rule Detect HVCI Disable via Registry to your SIEM to detect HVCI being disabled.
  • Investigate any detected instances of HVCI being disabled, as this can be a sign of malicious activity.
  • Ensure systems are patched against CVE-2022-21894 to prevent exploitation.
  • Monitor for suspicious processes modifying the registry keys related to HVCI.
  • Tune the Sigma rule Detect HVCI Disable via Registry to filter out legitimate administrative scripts, if necessary.

Detection coverage 2

Detect HVCI Disable via Registry

high

Detects disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry.

sigma tactics: defense_evasion techniques: T1562.001 sources: registry_set, windows

Detect HVCI Disable via Registry - Process

medium

Detects processes that modify the HVCI-related registry key

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →