title: Failed Code Integrity Checks
author: Thomas Patzke
date: 2019/12/03
description: Code integrity failures may indicate tampered executables.
detection:
  SELECTION_1:
    EventID: 5038
  SELECTION_2:
    EventID: 6281
  condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- Disk device errors
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
level: low
logsource:
  product: windows
  service: security
modified: 2020/08/23
status: stable
tags:
- attack.defense_evasion
- attack.t1009
- attack.t1027.001
ruletype: SIGMA