security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml
T
Nasreddine Bencherchali bb8f6bf762 fix: update whql rule
2023-06-14 10:02:51 +02:00

30 lines
1.4 KiB
YAML
Raw Blame History

title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
status: experimental
description: Detects loaded kernel modules that did not meet the WHQL signing requirements.
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/06/06
modified: 2023/06/14
tags:
- attack.privilege_escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
- 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
filter_optional_vmware:
FileNameBuffer:
- 'system32\drivers\vsock.sys'
- 'System32\drivers\vmci.sys'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
Reference in New Issue View Git Blame Copy Permalink