detection.wiki

Detection rules › Sigma

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

Severity
low
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Event coverage

ProviderEvent IDTitle
CodeIntegrity3033Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.
CodeIntegrity3034Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...

Stages and Predicates

Stage 1: selection

Stage 2: not 1 of filter_main_gac

FileNameBuffer|contains: '\Windows\assembly\GAC\'
ProcessNameBuffer|endswith: '\mscorsvw.exe'
ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
RequestedPolicy: 8

Stage 3: not 1 of filter_optional_*

or:
or:
FileNameBuffer|endswith: '\Mozilla Firefox\mozavcodec.dll'
FileNameBuffer|endswith: '\Mozilla Firefox\mozavutil.dll'
ProcessNameBuffer|endswith: '\Mozilla Firefox\firefox.exe'
RequestedPolicy: 8
or:
FileNameBuffer|endswith: '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
FileNameBuffer|endswith: '\Program Files\Avast Software\Avast\aswAMSI.dll'
RequestedPolicy: [12, 8]
or:
ProcessNameBuffer|endswith: '\AppData\Local\Keybase\Gui\Keybase.exe'
ProcessNameBuffer|endswith: '\Microsoft\Teams\stage\Teams.exe'
FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
RequestedPolicy: 8
or:
ProcessNameBuffer|endswith: '\Windows\System32\SIHClient.exe'
ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
RequestedPolicy: [12, 8]
FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
FileNameBuffer|endswith: '\MSOXMLMF.DLL'
FileNameBuffer|contains: '\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE'
RequestedPolicy: 7
FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll'
ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
RequestedPolicy: 12
FileNameBuffer|endswith: '\Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll'
RequestedPolicy: 8
FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
ProcessNameBuffer|endswith: '\slack.exe'
ProcessNameBuffer|contains: '\AppData\Local\slack\app-'
RequestedPolicy: 8
FileNameBuffer|endswith: '\crashpad_handler.exe'
FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
RequestedPolicy: 8
FileNameBuffer|endswith: '\igd10iumd64.dll'
FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\'
RequestedPolicy: 7
FileNameBuffer|contains: '\Kaspersky Lab\'
FileNameBuffer|contains: '\antimalware_provider.dll'
FileNameBuffer|contains: '\Windows\System32\'
ProcessNameBuffer|contains: '\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office'
RequestedPolicy: 8
ProcessNameBuffer|contains: '\Kaspersky Lab\'
ProcessNameBuffer|contains: '\avp.exe'
FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
FileNameBuffer|endswith: '\Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll'
FileNameBuffer|endswith: '\Program Files\McAfee\MfeAV\AMSIExt.dll'
FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll '
FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\'
FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
FileNameBufferends_with
  • \MSOXMLMF.DLL
  • \Mozilla Firefox\mozavcodec.dll
  • \Mozilla Firefox\mozavutil.dll
  • \Program Files (x86)\Avast Software\Avast\aswAMSI.dll
  • \Program Files\Avast Software\Avast\aswAMSI.dll
  • \Program Files\Bonjour\mdnsNSP.dll
  • \Program Files\DTrace\dtrace.dll
  • \Program Files\ESET\ESET Security\eamsi.dll
  • \Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll
  • \Program Files\McAfee\MfeAV\AMSIExt.dll
  • \Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll
  • \Program Files\comodo\comodo internet security\amsiprovider_x64.dll
  • \Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll
  • \Windows\System32\nvspcap64.dll
  • \crashpad_handler.exe
  • \igd10iumd64.dll
FileNameBuffermatch
  • \Kaspersky Lab\
  • \Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE
  • \National Instruments\Shared\mDNS Responder\
  • \Program Files\Google\Drive File Stream\
  • \Program Files\SentinelOne\Sentinel Agent
  • \Windows\System32\
  • \Windows\System32\DriverStore\FileRepository\
  • \Windows\assembly\GAC\
  • \antimalware_provider.dll
ProcessNameBufferends_with
  • \AppData\Local\Keybase\Gui\Keybase.exe
  • \Microsoft\Teams\stage\Teams.exe
  • \Mozilla Firefox\firefox.exe
  • \Windows\ImmersiveControlPanel\SystemSettings.exe
  • \Windows\System32\SIHClient.exe
  • \Windows\System32\svchost.exe
  • \mscorsvw.exe
  • \slack.exe
ProcessNameBuffermatch
  • \AppData\Local\slack\app-
  • \Kaspersky Lab\
  • \Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office
  • \Program Files\SentinelOne\Sentinel Agent
  • \Windows\Microsoft.NET\
  • \avp.exe
RequestedPolicyeq
  • 12
  • 7
  • 8