Detectionhightest
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 066f156c48-3894-4952-baf0-16193e9067d2windows
Log Source
Windowscodeintegrity-operational
ProductWindows← raw: windows
Servicecodeintegrity-operational← raw: codeintegrity-operational
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 3036 # Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available.
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
12
Resolving title…
learn.microsoft.comResolving title…
learn.microsoft.com3
Resolving title…
Internal ResearchMITRE ATT&CK
Rule Metadata
Rule ID
6f156c48-3894-4952-baf0-16193e9067d2
Status
test
Level
high
Type
Detection
Created
Tue Jun 06
Path
rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml
Raw Tags
attack.privilege-escalation