disk device errors

t1027
t1027.001
windows
sigma

Techniques

t1027
t1027.001

Sample rules

Failed Code Integrity Checks

source: sigma
technicques:
- t1027
- t1027.001

Description

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_crowdstrike:
  param1|contains:
  - \CSFalconServiceUninstallTool_
  - \Program Files\CrowdStrike\
  - \System32\drivers\CrowdStrike\
  - \Windows\System32\ScriptControl64_
filter_optional_sophos:
  param1|contains: \Program Files\Sophos\
selection:
  EventID:
  - 5038
  - 6281