rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml

title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
description: |
    Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281
author: Thomas Patzke
date: 2019-12-03
modified: 2025-01-19
tags:
    - attack.defense-evasion
    - attack.t1027.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 5038
            - 6281
    filter_optional_crowdstrike:
        param1|contains:
            - '\CSFalconServiceUninstallTool_'
            - '\Program Files\CrowdStrike\'
            - '\System32\drivers\CrowdStrike\'
            - '\Windows\System32\ScriptControl64_'
    filter_optional_sophos:
        param1|contains: '\Program Files\Sophos\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Disk device errors
level: informational
Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00			`title: Failed Code Integrity Checks`
			`id: 470ec5fa-7b4e-4071-b200-4c753100f49b`
			`status: stable`
Merge PR #4577 from @nasbench - Multiple Fixes & Updates 2023-12-21 21:04:18 +01:00			`description: \|`
			`Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.`
Merge PR #4681 from @nasbench - Add Missing Ref & Tags 2024-01-29 13:37:20 +01:00			`references:`
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 2024-07-02 06:00:11 -04:00			`- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038`
			`- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281`
Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00			`author: Thomas Patzke`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2019-12-03`
Merge PR #5167 from @djlukic - Fix multiple false positives found in the wild 2025-01-30 21:15:39 +01:00			`modified: 2025-01-19`
Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`- attack.t1027.001`
Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID:`
			`- 5038`
			`- 6281`
Merge PR #5167 from @djlukic - Fix multiple false positives found in the wild 2025-01-30 21:15:39 +01:00			`filter_optional_crowdstrike:`
			`param1\|contains:`
			`- '\CSFalconServiceUninstallTool_'`
			`- '\Program Files\CrowdStrike\'`
			`- '\System32\drivers\CrowdStrike\'`
			`- '\Windows\System32\ScriptControl64_'`
			`filter_optional_sophos:`
			`param1\|contains: '\Program Files\Sophos\'`
			`condition: selection and not 1 of filter_optional_*`
Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00			`falsepositives:`
			`- Disk device errors`
Merge PR #4577 from @nasbench - Multiple Fixes & Updates 2023-12-21 21:04:18 +01:00			`level: informational`