security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8e2a2ca9a8e2ba02ea21fe6c5e69715b89096b9
blue-team-tools/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml
T
Nasreddine Bencherchali e8e2a2ca9a feat: update code integrity rules
2023-06-06 23:06:02 +02:00

25 lines
1.0 KiB
YAML
Raw Blame History

title:
id:
status: experimental
description: Detects
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/11/10
tags:
- attack.
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
- 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink