Detectionhightest
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 06320fccbf-5e32-4101-82b8-2679c5f007c6windows
Log Source
Windowscodeintegrity-operational
ProductWindows← raw: windows
Servicecodeintegrity-operational← raw: codeintegrity-operational
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID:
- 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available.
- 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
12
Resolving title…
learn.microsoft.comResolving title…
learn.microsoft.com3
Resolving title…
Internal ResearchMITRE ATT&CK
Rule Metadata
Rule ID
320fccbf-5e32-4101-82b8-2679c5f007c6
Status
test
Level
high
Type
Detection
Created
Tue Jun 06
Path
rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml
Raw Tags
attack.privilege-escalation