{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/codeintegrity/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","Windows Defender Application Control"],"_cs_severities":["low"],"_cs_tags":["codeintegrity","windows","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eWindows Code Integrity (CI) is a security feature that validates the integrity of code before it is allowed to execute. Events 3033 and 3034 within the Code Integrity operational log signal situations where a process attempted to load a file that did not meet the configured signing level requirements. This can occur if the file's signature is invalid, revoked, or if a time-stamping signature has expired. This is often observed with legitimate software, but can also indicate attempts to load unsigned or improperly signed malicious code, potentially bypassing security controls. These events should be correlated with Event ID 3089 to determine the error of the validation. Due to the high number of false positives, careful filtering and tuning is required.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker attempts to execute a payload, often a DLL or other executable file, that is either unsigned, has a revoked signature, or whose signature has expired.\u003c/li\u003e\n\u003cli\u003eThe operating system's code integrity subsystem intercepts the file load operation.\u003c/li\u003e\n\u003cli\u003eCode Integrity validates the signing level of the file against the configured policy.\u003c/li\u003e\n\u003cli\u003eIf the signing level requirements are not met (e.g., invalid signature, expired certificate), Code Integrity logs Event ID 3033 (if blocking) or 3034 (if auditing).\u003c/li\u003e\n\u003cli\u003eIf blocking, the file load operation is prevented, hindering the execution of the malicious code. If auditing, the file load is allowed but logged.\u003c/li\u003e\n\u003cli\u003eThe attacker's attempt to execute the malicious payload is either blocked or allowed based on the Code Integrity policy.\u003c/li\u003e\n\u003cli\u003eIf allowed (Event ID 3034), the malicious code may execute, potentially leading to arbitrary code execution, privilege escalation, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhile the events themselves do not directly cause harm, they indicate potential attempts to bypass code integrity controls. Success in loading unsigned or improperly signed code can lead to arbitrary code execution, potentially enabling attackers to escalate privileges, deploy malware, or compromise system integrity. These events are noisy, and commonly triggered by legitimate software with expired or invalid signatures. The actual impact depends on whether the file load was blocked (Event ID 3033) or allowed (Event ID 3034).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Code Integrity operational log in Windows to collect Event IDs 3033 and 3034.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances of unmet signing level requirements and tune the filters to reduce false positives related to specific software in the environment.\u003c/li\u003e\n\u003cli\u003eInvestigate instances where Event ID 3034 is logged, as this indicates that unsigned or improperly signed code was allowed to load.\u003c/li\u003e\n\u003cli\u003eCorrelate Event IDs 3033 and 3034 with Event ID 3089, as recommended in the overview, to determine the underlying reason for the signing level failure and accurately differentiate malicious and benign activity.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of events where the \u003ccode\u003eFileNameBuffer\u003c/code\u003e does not match known good paths for third-party software to reduce false positives mentioned in the Sigma rule's \u003ccode\u003efalsepositives\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-code-integrity-signing/","summary":"Windows Code Integrity events 3033 and 3034 indicate an attempted file load that failed to meet the configured signing level requirements, potentially due to revoked signatures or expired certificates, signaling a possible attempt to load unsigned or untrusted code.","title":"Code Integrity - Unmet Signing Level Requirements","url":"https://feed.craftedsignal.io/briefs/2024-01-03-code-integrity-signing/"}],"language":"en","title":"CraftedSignal Threat Feed - Codeintegrity","version":"https://jsonfeed.org/version/1.1"}