Detection rules › Sigma
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543 Create or Modify System Process |
| Privilege Escalation | T1543 Create or Modify System Process |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| CodeIntegrity | 3023 | The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft. |