Detectioninformationalstable
Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
selection:
EventID:
- 5038
- 6281
filter_optional_crowdstrike:
param1|contains:
- '\CSFalconServiceUninstallTool_'
- '\Program Files\CrowdStrike\'
- '\System32\drivers\CrowdStrike\'
- '\Windows\System32\ScriptControl64_'
filter_optional_sophos:
param1|contains: '\Program Files\Sophos\'
condition: selection and not 1 of filter_optional_*False Positives
Disk device errors
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
470ec5fa-7b4e-4071-b200-4c753100f49b
Status
stable
Level
informational
Type
Detection
Created
Tue Dec 03
Modified
Sun Jan 19
Author
Path
rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml
Raw Tags
attack.defense-evasionattack.t1027.001