Added Sigma Rules

rules/Sigma/win_susp_codeintegrity_check_failure.yml

@@ -0,0 +1,26 @@
+title: Failed Code Integrity Checks
+author: Thomas Patzke
+date: 2019/12/03
+description: Code integrity failures may indicate tampered executables.
+detection:
+    SELECTION_1:
+        EventID: 5038
+    SELECTION_2:
+        EventID: 6281
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Disk device errors
+id: 470ec5fa-7b4e-4071-b200-4c753100f49b
+level: low
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1009
+- attack.t1027.001
+yml_filename: win_susp_codeintegrity_check_failure.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+