Techniques
Sample rules
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
- source: sigma
- technicques:
Description
Detects attempted file load events that did not meet the signing level requirements. It often means the file’s signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_gac:
FileNameBuffer|contains: \Windows\assembly\GAC\
ProcessNameBuffer|contains: \Windows\Microsoft.NET\
ProcessNameBuffer|endswith: \mscorsvw.exe
RequestedPolicy: 8
filter_optional_av_generic:
FileNameBuffer|contains: \Windows\System32\DriverStore\FileRepository\
FileNameBuffer|endswith: \igd10iumd64.dll
RequestedPolicy: 7
filter_optional_avast:
FileNameBuffer|endswith:
- \Program Files\Avast Software\Avast\aswAMSI.dll
- \Program Files (x86)\Avast Software\Avast\aswAMSI.dll
RequestedPolicy:
- 8
- 12
filter_optional_bonjour:
FileNameBuffer|endswith: \Program Files\Bonjour\mdnsNSP.dll
ProcessNameBuffer|endswith:
- \Windows\System32\svchost.exe
- \Windows\System32\SIHClient.exe
RequestedPolicy:
- 8
- 12
filter_optional_comodo:
FileNameBuffer|endswith: \Program Files\comodo\comodo internet security\amsiprovider_x64.dll
filter_optional_dtrace:
FileNameBuffer|endswith: \Program Files\DTrace\dtrace.dll
ProcessNameBuffer|endswith: \Windows\System32\svchost.exe
RequestedPolicy: 12
filter_optional_electron_based_app:
FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll
ProcessNameBuffer|endswith:
- \AppData\Local\Keybase\Gui\Keybase.exe
- \Microsoft\Teams\stage\Teams.exe
RequestedPolicy: 8
filter_optional_eset:
FileNameBuffer|endswith: \Program Files\ESET\ESET Security\eamsi.dll
filter_optional_firefox:
FileNameBuffer|endswith:
- \Mozilla Firefox\mozavcodec.dll
- \Mozilla Firefox\mozavutil.dll
ProcessNameBuffer|endswith: \Mozilla Firefox\firefox.exe
RequestedPolicy: 8
filter_optional_google_drive:
FileNameBuffer|contains: \Program Files\Google\Drive File Stream\
FileNameBuffer|endswith: \crashpad_handler.exe
ProcessNameBuffer|endswith: \Windows\ImmersiveControlPanel\SystemSettings.exe
RequestedPolicy: 8
filter_optional_mcafee:
FileNameBuffer|endswith:
- \Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll
- \Program Files\McAfee\MfeAV\AMSIExt.dll
filter_optional_mdns_responder:
FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll '
filter_optional_msoffice:
FileNameBuffer|contains: \Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft
Shared\OFFICE
FileNameBuffer|endswith: \MSOXMLMF.DLL
RequestedPolicy: 7
filter_optional_sentinel_one:
- FileNameBuffer|contains: \Program Files\SentinelOne\Sentinel Agent
- ProcessNameBuffer|contains: \Program Files\SentinelOne\Sentinel Agent
filter_optional_slack:
FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll
ProcessNameBuffer|contains: \AppData\Local\slack\app-
ProcessNameBuffer|endswith: \slack.exe
RequestedPolicy: 8
filter_optional_trend_micro:
FileNameBuffer|endswith: \Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll
RequestedPolicy: 8
selection:
EventID:
- 3033
- 3034