detection.wiki

Detection rules › Sigma

CodeIntegrity - Blocked Image/Driver Load For Policy Violation

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1543 Create or Modify System Process
Privilege EscalationT1543 Create or Modify System Process

Event coverage

ProviderEvent IDTitle
CodeIntegrity3077Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...

Stages and Predicates

Stage 1: selection