Code Integrity Attempted DLL Load

calendarApr 27, 2023 · attack.execution  ·
Share on: linkedincopy

Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired

Sigma rule (View on GitHub)

 1title: Code Integrity Attempted DLL Load
 2id: f8931561-97f5-4c46-907f-0a4a592e47a7
 3description: Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired
 4author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
 5status: experimental
 6references:
 7    - https://twitter.com/SBousseaden/status/1483810148602814466
 8    - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
 9date: 2022/01/20
10modified: 2023/04/27
11tags:
12    - attack.execution
13logsource:
14    product: windows
15    service: codeintegrity-operational
16detection:
17    selection:
18        EventID: 3033
19    filter_dtrace:
20        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements.
21        FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll'
22        ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
23        RequestedPolicy: 12
24        ValidatedPolicy: 1
25    filter_msmpeng:
26        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
27        FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\'
28        FileNameBuffer|endswith: '\igd10iumd64.dll'
29        # ProcessNameBuffer is AV products
30        RequestedPolicy: 7
31        ValidatedPolicy: 1
32    filter_electron_based_app:
33        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements.
34        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
35        ProcessNameBuffer|endswith:
36            - '\AppData\Local\Keybase\Gui\Keybase.exe'
37            - '\Microsoft\Teams\stage\Teams.exe'
38        RequestedPolicy: 8
39        ValidatedPolicy: 1
40    filter_bonjour:
41        FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
42        ProcessNameBuffer|endswith:
43            - '\Windows\System32\svchost.exe'
44            - '\Windows\System32\SIHClient.exe'
45        RequestedPolicy:
46            - 8
47            - 12
48        ValidatedPolicy: 1
49    filter_msoffice:
50        FileNameBuffer|contains: '\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE'
51        FileNameBuffer|endswith: '\MSOXMLMF.DLL'
52        # ProcessNameBuffer is AV products
53        RequestedPolicy: 7
54        ValidatedPolicy: 1
55    filter_slack:
56        # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png
57        # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :)
58        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
59        ProcessNameBuffer|contains: '\AppData\Local\slack\app-'
60        ProcessNameBuffer|endswith: '\slack.exe'
61        RequestedPolicy: 8
62        ValidatedPolicy: 1
63    filter_firefox:
64        # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png
65        FileNameBuffer|endswith:
66            - '\Mozilla Firefox\mozavcodec.dll'
67            - '\Mozilla Firefox\mozavutil.dll'
68        ProcessNameBuffer|endswith: '\Mozilla Firefox\firefox.exe'
69        RequestedPolicy: 8
70    filter_avast:
71        FileNameBuffer|endswith:
72            - '\Program Files\Avast Software\Avast\aswAMSI.dll'
73            - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
74        RequestedPolicy:
75            - 8
76            - 12
77        ValidatedPolicy: 1
78    filter_gac:
79        # Filtering the path containing this string because of multiple possible DLLs in that location
80        FileNameBuffer|contains: '\Windows\assembly\GAC\'
81        ProcessNameBuffer|endswith: '\mscorsvw.exe'
82        ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
83        RequestedPolicy: 8
84        ValidatedPolicy:
85            - 1
86            - 2
87    filter_google_drive:
88        # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
89        FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
90        FileNameBuffer|endswith: '\crashpad_handler.exe'
91        ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
92        RequestedPolicy: 8
93        ValidatedPolicy: 1
94    condition: selection and not 1 of filter_*
95falsepositives:
96    - Antivirus products
97level: high

Related rules

to-top