The file could be corrupt due to unauthorized modification. The invalid hash could indicate a potential disk device error. It is, therefore, very crucial to detect and determine whether or not a file is a valid one. For this purpose code integrity can be used to determine if image hash of a file is not valid.
In windows you can look for event id 5038 to check for file integrity. Code integrity feature in windows is used to check if signature of a file is not valid.
Currently there is no example of this event, however, you can expect following
Subcategory: Audit System Integrity
Event Schema:
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: %filepath\filename%
Security Monitoring Recommendations by Windows
Monitoring this event especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
SIEM Alert Rule
event_id=5038
No comments:
Post a Comment