CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

calendar Mar 1, 2026 · attack.execution  ·
Share on: linkedin copy

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Sigma rule (View on GitHub)

  1title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
  2id: f8931561-97f5-4c46-907f-0a4a592e47a7
  3status: experimental
  4description: |
  5    Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
  6    This event is best correlated with EID 3089 to determine the error of the validation.    
  7references:
  8    - https://twitter.com/SBousseaden/status/1483810148602814466
  9    - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
 10    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
 11    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
 12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 13date: 2022-01-20
 14modified: 2025-02-28
 15tags:
 16    - attack.execution
 17logsource:
 18    product: windows
 19    service: codeintegrity-operational
 20detection:
 21    selection:
 22        EventID:
 23            - 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.
 24            - 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.
 25    filter_optional_dtrace:
 26        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements.
 27        FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll'
 28        ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
 29        RequestedPolicy: 12
 30    filter_optional_av_generic:
 31        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 32        FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\'
 33        FileNameBuffer|endswith: '\igd10iumd64.dll'
 34        # ProcessNameBuffer is AV products
 35        RequestedPolicy: 7
 36    filter_optional_electron_based_app:
 37        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements.
 38        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
 39        ProcessNameBuffer|endswith:
 40            - '\AppData\Local\Keybase\Gui\Keybase.exe'
 41            - '\Microsoft\Teams\stage\Teams.exe'
 42        RequestedPolicy: 8
 43    filter_optional_bonjour:
 44        FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
 45        ProcessNameBuffer|endswith:
 46            - '\Windows\System32\svchost.exe'
 47            - '\Windows\System32\SIHClient.exe'
 48        RequestedPolicy:
 49            - 8
 50            - 12
 51    filter_optional_msoffice_1:
 52        FileNameBuffer|contains: '\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE'
 53        FileNameBuffer|endswith: '\MSOXMLMF.DLL'
 54        # ProcessNameBuffer is AV products
 55        RequestedPolicy: 7
 56    filter_optional_msoffice_2:
 57        ProcessNameBuffer|contains: '\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office'
 58        FileNameBuffer|contains: '\Windows\System32\'
 59        RequestedPolicy: 8
 60    filter_optional_slack:
 61        # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png
 62        # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :)
 63        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
 64        ProcessNameBuffer|contains: '\AppData\Local\slack\app-'
 65        ProcessNameBuffer|endswith: '\slack.exe'
 66        RequestedPolicy: 8
 67    filter_optional_firefox:
 68        # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png
 69        FileNameBuffer|endswith:
 70            - '\Mozilla Firefox\mozavcodec.dll'
 71            - '\Mozilla Firefox\mozavutil.dll'
 72        ProcessNameBuffer|endswith: '\Mozilla Firefox\firefox.exe'
 73        RequestedPolicy: 8
 74    filter_optional_avast:
 75        FileNameBuffer|endswith:
 76            - '\Program Files\Avast Software\Avast\aswAMSI.dll'
 77            - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
 78        RequestedPolicy:
 79            - 8
 80            - 12
 81    filter_main_gac:
 82        # Filtering the path containing this string because of multiple possible DLLs in that location
 83        FileNameBuffer|contains: '\Windows\assembly\GAC\'
 84        ProcessNameBuffer|endswith: '\mscorsvw.exe'
 85        ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
 86        RequestedPolicy: 8
 87    filter_optional_google_drive:
 88        # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
 89        FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
 90        FileNameBuffer|endswith: '\crashpad_handler.exe'
 91        ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
 92        RequestedPolicy: 8
 93    filter_optional_trend_micro:
 94        FileNameBuffer|endswith: '\Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll'
 95        RequestedPolicy: 8
 96    filter_optional_mdns_responder:
 97        FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll '
 98    filter_optional_mcafee:
 99        FileNameBuffer|endswith:
100            - '\Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll'
101            - '\Program Files\McAfee\MfeAV\AMSIExt.dll'
102    filter_optional_eset:
103        FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
104    filter_optional_comodo:
105        FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
106    filter_optional_sentinel_one:
107        # Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll
108        - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
109        # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
110        - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
111    filter_optional_national_instruments:
112        # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll
113        FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\'
114    filter_optional_kaspersky:
115        # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll
116        - ProcessNameBuffer|contains|all:
117              - '\Kaspersky Lab\'
118              - '\avp.exe'
119        - FileNameBuffer|contains|all:
120              - '\Kaspersky Lab\'
121              - '\antimalware_provider.dll'
122    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
123falsepositives:
124    - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.
125level: low

References

Related rules

to-top