Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked

Detects block events for files that are disallowed by code integrity for protected processes

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 065daf11c3-022b-4969-adb9-365e6c078c7cwindows
Log Source
Windowscodeintegrity-operational
ProductWindows← raw: windows
Servicecodeintegrity-operational← raw: codeintegrity-operational
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 3104 # Windows blocked file %2 which has been disallowed for protected processes.
    condition: selection
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
Internal Research
MITRE ATT&CK
Rule Metadata
Rule ID
5daf11c3-022b-4969-adb9-365e6c078c7c
Status
test
Level
high
Type
Detection
Created
Tue Jun 06
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml
Raw Tags
attack.privilege-escalation
View on GitHub