5038 Code integrity determined that the image hash of a file is not valid
Written when Code Integrity determines that a file’s image hash is not valid. It captures the loading of a tampered or corrupt executable or driver.
Overview
The subcategory is Audit System Integrity. It is generated when Code Integrity (the mechanism that verifies the signature/hash of executables and drivers) determines that the image hash of a file being loaded does not match the expected value. The cause is tampering, corruption, or an invalid signature.
How it is triggered
- When, during signature verification, the hash of an executable or driver is invalid.
- Besides disk corruption, it can occur from file tampering or an attempt to load a malicious driver.
Security review points
- A hash mismatch can indicate tampering of a legitimate file (embedding a backdoor) or an attempt to run a tampered driver/binary (in the context of MITRE ATT&CK tampering, Bring Your Own Vulnerable Driver, etc.). Check the path and name of the file.
- A hash mismatch on a driver (kernel space) in particular is serious. Together with changes to the BCD setting that disables signature enforcement 4826, monitor moves to bypass signature verification.
Notes for log review
- It can also occur from disk corruption or an incomplete update. Separate whether the file is a known legitimate one, corrupt, or an unknown malicious one.
- Confirm hash mismatches on system files and drivers at high priority. Investigate the hash and signature status of the file involved.
Key fields
| Field | Meaning |
|---|---|
File Name | The file whose hash was found invalid |
Glossary
- Code Integrity — a Windows mechanism that verifies the signature/hash of drivers and executables to prevent loading tampered or unsigned code.