detection.wiki

Detection rules › Sigma

CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects block events for files that are disallowed by code integrity for protected processes

Event coverage

ProviderEvent IDTitle
CodeIntegrity3104Windows blocked file FileNameBuffer which has been disallowed for protected processes.

Stages and Predicates

Stage 1: selection