← Back to Explore
sigmahighHunting
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
Detection Query
selection:
EventID:
- 11
- 12
ImageName|contains:
- \Users\Public\
- \PerfLogs\
- \Desktop\
- \Downloads\
- \AppData\Local\Temp\
- C:\Windows\TEMP\
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-03
Data Sources
windowssecurity-mitigations
Platforms
windows
Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001
Raw Content
title: Unsigned Binary Loaded From Suspicious Location
id: 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10
status: test
description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2022-09-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
product: windows
service: security-mitigations
detection:
selection:
EventID:
- 11
- 12
ImageName|contains:
- '\Users\Public\'
- '\PerfLogs\'
- '\Desktop\'
- '\Downloads\'
- '\AppData\Local\Temp\'
- 'C:\Windows\TEMP\'
condition: selection
falsepositives:
- Unknown
level: high