← Back to Explore
sigmahighHunting
Hypervisor Enforced Paging Translation Disabled
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
Detection Query
selection:
TargetObject|endswith: \DisableHypervisorEnforcedPagingTranslation
Details: DWORD (0x00000001)
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2024-07-05
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1562.001
Raw Content
title: Hypervisor Enforced Paging Translation Disabled
id: 7f2954d2-99c2-4d42-a065-ca36740f187b
status: test
description: |
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
references:
- https://twitter.com/standa_t/status/1808868985678803222
- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-05
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high