Merge pull request #2585 from SigmaHQ/rule-devel

First code integrity rule - new log source

rules/windows/other/code_integrity/win_codeintegrity_failed_driver_load.yml

@@ -0,0 +1,20 @@
+title: Code Integrity Blocked Driver Load
+id: f8931561-97f5-4c46-907f-0a4a592e47a7
+description: Detects driver load events that got blocked by Windows code integrity checks
+author: Florian Roth
+status: experimental
+references:
+    - https://twitter.com/SBousseaden/status/1483810148602814466
+date: 2022/01/20
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    service: codeintegrity-operational
+detection:
+    keywords:
+        - 'that did not meet the Microsoft signing level requirements'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high

tools/config/elk-windows.yml

@@ -57,6 +57,11 @@ logsources:
     service: printservice-operational
     conditions:
       EventLog: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      EventLog: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/elk-winlogbeat-sp.yml

@@ -57,6 +57,11 @@ logsources:
     service: printservice-operational
     conditions:
       log_name: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/elk-winlogbeat.yml

@@ -57,6 +57,11 @@ logsources:
     service: printservice-operational
     conditions:
       log_name: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/fireeye-helix.yml

@@ -81,6 +81,11 @@ logsources:
         service: printservice-operational
         conditions:
             channel: 'Microsoft-Windows-PrintService/Operational'
+    windows-codeintegrity-operational:
+        product: windows
+        service: codeintegrity-operational
+        conditions:
+            channel: 'Microsoft-Windows-CodeIntegrity/Operational'
     windows-smbclient-security:
         product: windows
         index: windows

tools/config/hawk.yml

@@ -356,6 +356,11 @@ logsources:
    service: printservice-operational
    conditions:
      product_name: 'PrintService'
+ windows-codeintegrity-operational:
+   product: windows
+   service: codeintegrity-operational
+   conditions:
+     product_name: 'CodeIntegrity'
  windows-smbclient-security:
    product: windows
    service: smbclient-security

tools/config/logpoint-windows.yml

@@ -57,6 +57,11 @@ logsources:
     service: printservice-operational
     conditions:
       event_source: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      event_source: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/logstash-windows.yml

@@ -78,6 +78,11 @@ logsources:
     service: printservice-operational
     conditions:
       Channel: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/powershell.yml

@@ -97,6 +97,11 @@ logsources:
     service: printservice-operational
     conditions:
       LogName: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      LogName: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/splunk-windows.yml

@@ -107,6 +107,11 @@ logsources:
     service: printservice-operational
     conditions:
       source: 'WinEventLog:Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      source: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/sumologic.yml

@@ -81,6 +81,11 @@ logsources:
     service: printservice-operational
     conditions:
       EventChannel: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/thor.yml

@@ -315,6 +315,11 @@ logsources:
     service: printservice-operational
     sources:
       - "WinEventLog:Microsoft-Windows-PrintService/Operational"
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    sources:
+      - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
   windows-applocker:
     product: windows
     service: applocker

tools/config/winlogbeat-modules-enabled.yml

@@ -81,6 +81,11 @@ logsources:
     service: printservice-operational
     conditions:
       winlog.channel: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/winlogbeat.yml

@@ -80,6 +80,11 @@ logsources:
     service: printservice-operational
     conditions:
       winlog.channel: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/zircolite.yml

@@ -68,6 +68,11 @@ logsources:
     service: printservice-operational
     conditions:
       Channel: 'Microsoft-Windows-PrintService/Operational'
+  windows-codeintegrity-operational:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security