SigmaHQ/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml
2020-01-30 16:07:37 +01:00

22 lines
469 B
YAML

title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
description: Code integrity failures may indicate tampered executables.
author: Thomas Patzke
date: 2019/12/03
tags:
- attack.defense_evasion
- attack.t1009
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 5038
- 6281
condition: selection
falsepositives:
- Disk device errors
level: low