Event ID 3001 — Code Integrity determined an unsigned kernel module FileNameBuffer is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Collection Priority: Recommended (NSA, others)
Task: CreateSection
Opcode: UnsignedDriverLoaded

Description

Code Integrity determined an unsigned kernel module FileNameBuffer is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.

Message #

Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.

Fields #

Name	Description
`FileNameLength` UInt16	—
`FileNameBuffer` UnicodeString	—
`SecureRequired` HexInt32	—
`RequestedSigningLevel` UInt8	—
`ProcessNameLength` UInt16	—
`ProcessNameBuffer` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CodeIntegrity - Unsigned Kernel Module Loaded source high: Detects the presence of a loaded unsigned kernel module on the system.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations