SigmaHQ/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml

title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
description: Code integrity failures may indicate tampered executables.
author: Thomas Patzke
date: 2019/12/03
modified: 2020/08/23
tags:
    - attack.defense_evasion
    - attack.t1009          # an old one
    - attack.t1027.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 5038
            - 6281
    condition: selection
falsepositives:
    - Disk device errors
level: low