From 89e28d65d2ee34efac05da53128fe2d596550e9a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 24 Oct 2022 12:05:50 +0200 Subject: [PATCH] Update win_codeintegrity_failed_driver_load.yml --- .../win_codeintegrity_failed_dll_load.yml | 41 +++++++++++++++++++ .../win_codeintegrity_failed_driver_load.yml | 20 --------- 2 files changed, 41 insertions(+), 20 deletions(-) create mode 100644 rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml delete mode 100644 rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml new file mode 100644 index 000000000..8035439fe --- /dev/null +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml @@ -0,0 +1,41 @@ +title: Code Integrity Blocked DLL Load +id: f8931561-97f5-4c46-907f-0a4a592e47a7 +description: Detects DLL load events that got blocked by Windows code integrity checks due to not meeting the Windows/Antimalware signing level requirements +author: Florian Roth +status: experimental +references: + - https://twitter.com/SBousseaden/status/1483810148602814466 +date: 2022/01/20 +modified: 2022/10/24 +tags: + - attack.execution +logsource: + product: windows + service: codeintegrity-operational +detection: + selection: + EventID: 3033 + filter_dtrace: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements. + FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll' + ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe' + RequestedPolicy: 12 + ValidatedPolicy: 1 + filter_msmpeng: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements. + FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\' + FileNameBuffer|endswith: '\igd10iumd64.dll' + ProcessNameBuffer|contains: '\ProgramData\Microsoft\Windows Defender\Platform\' + ProcessNameBuffer|endswith: '\MsMpEng.exe' + RequestedPolicy: 7 + ValidatedPolicy: 1 + filter_keybase: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements. + FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll' + ProcessNameBuffer|endswith: '\AppData\Local\Keybase\Gui\Keybase.exe' + RequestedPolicy: 8 + ValidatedPolicy: 1 + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml deleted file mode 100644 index 69d0d3b0f..000000000 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Code Integrity Blocked Driver Load -id: f8931561-97f5-4c46-907f-0a4a592e47a7 -description: Detects driver load events that got blocked by Windows code integrity checks -author: Florian Roth -status: experimental -references: - - https://twitter.com/SBousseaden/status/1483810148602814466 -date: 2022/01/20 -tags: - - attack.execution -logsource: - product: windows - service: codeintegrity-operational -detection: - keywords: - - 'that did not meet the Microsoft signing level requirements' - condition: keywords -falsepositives: - - Unknown -level: high \ No newline at end of file