security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_codeintegrity_failed_driver_load.yml

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-10-24 12:05:50 +02:00
parent c6bd6ec489
commit 89e28d65d2
2 changed files with 41 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml
+41
View File
@@ -0,0 +1,41 @@
title: Code Integrity Blocked DLL Load
id: f8931561-97f5-4c46-907f-0a4a592e47a7
description: Detects DLL load events that got blocked by Windows code integrity checks due to not meeting the Windows/Antimalware signing level requirements
author: Florian Roth
status: experimental
references:
- https://twitter.com/SBousseaden/status/1483810148602814466
date: 2022/01/20
modified: 2022/10/24
tags:
- attack.execution
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3033
filter_dtrace:
# Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements.
FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll'
ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
RequestedPolicy: 12
ValidatedPolicy: 1
filter_msmpeng:
# Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\'
FileNameBuffer|endswith: '\igd10iumd64.dll'
ProcessNameBuffer|contains: '\ProgramData\Microsoft\Windows Defender\Platform\'
ProcessNameBuffer|endswith: '\MsMpEng.exe'
RequestedPolicy: 7
ValidatedPolicy: 1
filter_keybase:
# Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements.
FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
ProcessNameBuffer|endswith: '\AppData\Local\Keybase\Gui\Keybase.exe'
RequestedPolicy: 8
ValidatedPolicy: 1
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml
-20
View File
@@ -1,20 +0,0 @@
title: Code Integrity Blocked Driver Load
id: f8931561-97f5-4c46-907f-0a4a592e47a7
description: Detects driver load events that got blocked by Windows code integrity checks
author: Florian Roth
status: experimental
references:
- https://twitter.com/SBousseaden/status/1483810148602814466
date: 2022/01/20
tags:
- attack.execution
logsource:
product: windows
service: codeintegrity-operational
detection:
keywords:
- 'that did not meet the Microsoft signing level requirements'
condition: keywords
falsepositives:
- Unknown
level: high