This artifact will return the Enabled KeyValue in the Hypervisor-protected Code Integrity (HVCI) registry path. An adversary may set the Enabled key to 0 if they intend to manipulate UEFI boot process.
The artifact will group by KeyName, KeyValue and KeyType to account for multiple control sets.
name: Windows.Registry.HVCI
author: Matt Green - @mgreen27
description: |
This artifact will return the Enabled KeyValue in the Hypervisor-protected Code
Integrity (HVCI) registry path. An adversary may set the Enabled key to 0
if they intend to manipulate UEFI boot process.
The artifact will group by KeyName, KeyValue and KeyType to account for
multiple control sets.
reference:
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
parameters:
- name: KeyGlob
default: HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\**
- name: OnlyShowZero
type: bool
description: If this is set, the results will only show KeyValues = 0
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT
Mtime,
OSPath,
Data.type as KeyType,
Name as KeyName,
Data.value as KeyValue
FROM glob(globs=KeyGlob, accessor="registry")
WHERE KeyName = 'Enabled'
AND if(condition= OnlyShowZero,
then= KeyValue = 0,
else= True )
GROUP BY KeyName, KeyValue, KeyType