security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml
T

27 lines
808 B
YAML
Raw Normal View History

Added rule for failed code integrity checks
2019-12-03 15:08:26 +01:00
title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
description: |
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281
Added rule for failed code integrity checks
2019-12-03 15:08:26 +01:00
author: Thomas Patzke
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
date: 2019/12/03
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
modified: 2023/12/13
Added rule for failed code integrity checks
2019-12-03 15:08:26 +01:00
tags:
- attack.defense_evasion
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-25 01:09:17 +02:00
- attack.t1027.001
Added rule for failed code integrity checks
2019-12-03 15:08:26 +01:00
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 5038
- 6281
condition: selection
falsepositives:
- Disk device errors
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
level: informational
Reference in New Issue Copy Permalink