CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Sigma rule (View on GitHub)
1title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
2id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
3status: test
4description: Detects loaded kernel modules that did not meet the WHQL signing requirements.
5references:
6 - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
7 - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
8 - Internal Research
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/06/06
11modified: 2023/06/14
12tags:
13 - attack.privilege_escalation
14logsource:
15 product: windows
16 service: codeintegrity-operational
17detection:
18 selection:
19 EventID:
20 - 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
21 - 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
22 filter_optional_vmware:
23 FileNameBuffer:
24 - 'system32\drivers\vsock.sys'
25 - 'System32\drivers\vmci.sys'
26 condition: selection and not 1 of filter_optional_*
27falsepositives:
28 - Unlikely
29level: high
References
Related rules
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- Potential 7za.DLL Sideloading
- Potential Edputil.DLL Sideloading
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential RjvPlatform.DLL Sideloading From Non-Default Location