2023-06-09 10:44:40 +02:00
title : CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
2023-06-07 10:36:45 +02:00
id : 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
2024-05-02 10:34:25 +02:00
status : test
2023-06-07 10:36:45 +02:00
description : Detects loaded kernel modules that did not meet the WHQL signing requirements.
2023-06-06 23:06:02 +02:00
references :
2024-07-02 06:00:11 -04:00
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
2023-06-06 23:06:02 +02:00
- Internal Research
author : Nasreddine Bencherchali (Nextron Systems)
2024-08-12 12:02:50 +02:00
date : 2023-06-06
modified : 2023-06-14
2023-06-06 23:06:02 +02:00
tags :
2024-08-12 12:02:50 +02:00
- attack.privilege-escalation
2023-06-06 23:06:02 +02:00
logsource :
product : windows
service : codeintegrity-operational
detection :
selection :
EventID :
- 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
- 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
2023-06-13 11:41:14 +02:00
filter_optional_vmware :
2023-06-14 10:02:51 +02:00
FileNameBuffer :
- 'system32\drivers\vsock.sys'
- 'System32\drivers\vmci.sys'
2023-06-13 11:41:14 +02:00
condition : selection and not 1 of filter_optional_*
2023-06-06 23:06:02 +02:00
falsepositives :
2023-06-07 10:36:45 +02:00
- Unlikely
2023-06-06 23:06:02 +02:00
level : high
