Detectionhightest

CodeIntegrity - Blocked Image/Driver Load For Policy Violation

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Thu Nov 10Updated Wed Jun 07e4be5675-4a53-426a-8c81-a8bb2387e947windows

Log Source

Windowscodeintegrity-operational

ProductWindows← raw: windows

Servicecodeintegrity-operational← raw: codeintegrity-operational

Detection Logic

detection:
    selection:
        EventID: 3077 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy (Policy ID:%XX).
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1543 · Create or Modify System Process

Rule Metadata

Rule ID

e4be5675-4a53-426a-8c81-a8bb2387e947

Status

test

Level

high

Type

Detection

Created

Thu Nov 10

Modified

Wed Jun 07

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1543

View on GitHub