CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

calendar Oct 8, 2024 · attack.execution  ·
Share on: linkedin copy

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Sigma rule (View on GitHub)

  1title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
  2id: f8931561-97f5-4c46-907f-0a4a592e47a7
  3status: experimental
  4description: |
  5    Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
  6    This event is best correlated with EID 3089 to determine the error of the validation.    
  7references:
  8    - https://twitter.com/SBousseaden/status/1483810148602814466
  9    - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
 10    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
 11    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
 12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 13date: 2022-01-20
 14modified: 2024-10-08
 15tags:
 16    - attack.execution
 17logsource:
 18    product: windows
 19    service: codeintegrity-operational
 20detection:
 21    selection:
 22        EventID:
 23            - 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.
 24            - 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.
 25    filter_optional_dtrace:
 26        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements.
 27        FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll'
 28        ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
 29        RequestedPolicy: 12
 30    filter_optional_av_generic:
 31        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 32        FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\'
 33        FileNameBuffer|endswith: '\igd10iumd64.dll'
 34        # ProcessNameBuffer is AV products
 35        RequestedPolicy: 7
 36    filter_optional_electron_based_app:
 37        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements.
 38        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
 39        ProcessNameBuffer|endswith:
 40            - '\AppData\Local\Keybase\Gui\Keybase.exe'
 41            - '\Microsoft\Teams\stage\Teams.exe'
 42        RequestedPolicy: 8
 43    filter_optional_bonjour:
 44        FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
 45        ProcessNameBuffer|endswith:
 46            - '\Windows\System32\svchost.exe'
 47            - '\Windows\System32\SIHClient.exe'
 48        RequestedPolicy:
 49            - 8
 50            - 12
 51    filter_optional_msoffice:
 52        FileNameBuffer|contains: '\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE'
 53        FileNameBuffer|endswith: '\MSOXMLMF.DLL'
 54        # ProcessNameBuffer is AV products
 55        RequestedPolicy: 7
 56    filter_optional_slack:
 57        # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png
 58        # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :)
 59        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
 60        ProcessNameBuffer|contains: '\AppData\Local\slack\app-'
 61        ProcessNameBuffer|endswith: '\slack.exe'
 62        RequestedPolicy: 8
 63    filter_optional_firefox:
 64        # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png
 65        FileNameBuffer|endswith:
 66            - '\Mozilla Firefox\mozavcodec.dll'
 67            - '\Mozilla Firefox\mozavutil.dll'
 68        ProcessNameBuffer|endswith: '\Mozilla Firefox\firefox.exe'
 69        RequestedPolicy: 8
 70    filter_optional_avast:
 71        FileNameBuffer|endswith:
 72            - '\Program Files\Avast Software\Avast\aswAMSI.dll'
 73            - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
 74        RequestedPolicy:
 75            - 8
 76            - 12
 77    filter_main_gac:
 78        # Filtering the path containing this string because of multiple possible DLLs in that location
 79        FileNameBuffer|contains: '\Windows\assembly\GAC\'
 80        ProcessNameBuffer|endswith: '\mscorsvw.exe'
 81        ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
 82        RequestedPolicy: 8
 83    filter_optional_google_drive:
 84        # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
 85        FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
 86        FileNameBuffer|endswith: '\crashpad_handler.exe'
 87        ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
 88        RequestedPolicy: 8
 89    filter_optional_trend_micro:
 90        FileNameBuffer|endswith: '\Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll'
 91        RequestedPolicy: 8
 92    filter_optional_mdns_responder:
 93        FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll '
 94    filter_optional_mcafee:
 95        FileNameBuffer|endswith:
 96            - '\Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll'
 97            - '\Program Files\McAfee\MfeAV\AMSIExt.dll'
 98    filter_optional_eset:
 99        FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
100    filter_optional_comodo:
101        FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
102    filter_optional_sentinel_one:
103        # Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll
104        - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
105        # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
106        - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
107    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
108falsepositives:
109    - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.
110level: low

References

Related rules

to-top