Detectionhightest

CodeIntegrity - Unsigned Image Loaded

Detects loaded unsigned image on the system

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 06c92c24e7-f595-493f-9c98-53d5142f5c18windows

Log Source

Windowscodeintegrity-operational

ProductWindows← raw: windows

Servicecodeintegrity-operational← raw: codeintegrity-operational

Detection Logic

detection:
    selection:
        EventID: 3037 # Code Integrity determined an unsigned image %2 is loaded into the system. Check with the publisher to see if a signed version of the image is available.
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation

Rule Metadata

Rule ID

c92c24e7-f595-493f-9c98-53d5142f5c18

Status

test

Level

high

Type

Detection

Created

Tue Jun 06

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml

Raw Tags

attack.privilege-escalation

View on GitHub