blue-team-tools/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml

title: Block Load Of Revoked Driver
id: 9b72b82d-f1c5-4632-b589-187159bc6ec1
description: Detects blocked load attempts of revoked drivers
author: Nasreddine Bencherchali (Nextron Systems)
status: experimental
references:
    - https://twitter.com/wdormann/status/1590434950335320065
date: 2022/11/10
tags:
    - attack.privilege_escalation
    - attack.t1543
logsource:
    product: windows
    service: codeintegrity-operational
detection:
    selection:
        EventID: 3023
    condition: selection
falsepositives:
    - Unknown
level: high