Detectionhightest

CodeIntegrity - Unsigned Kernel Module Loaded

Detects the presence of a loaded unsigned kernel module on the system.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 06951f8d29-f2f6-48a7-859f-0673ff105e6fwindows

Log Source

Windowscodeintegrity-operational

ProductWindows← raw: windows

Servicecodeintegrity-operational← raw: codeintegrity-operational

Detection Logic

detection:
    selection:
        EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation

Rule Metadata

Rule ID

951f8d29-f2f6-48a7-859f-0673ff105e6f

Status

test

Level

high

Type

Detection

Created

Tue Jun 06

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml

Raw Tags

attack.privilege-escalation

View on GitHub