detection.wiki

Microsoft-Windows-CodeIntegrity › Event 3004

Event ID 3004 — Windows is unable to verify the image integrity of the file FileNameBuffer because file hash could not be found on the system.

Provider
Microsoft-Windows-CodeIntegrity
Channel
Operational
Level
Error
Collection Priority
Recommended (NSA, others)
Task
CreateSection
Opcode
FileHashNotFound

Message #

Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Fields #

NameDescription
FileNameLength UInt16
FileNameBuffer UnicodeString
SecureRequired HexInt32
RequestedSigningLevel UInt8
ProcessNameLength UInt16
ProcessNameBuffer UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-CodeIntegrity",
    "guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
    "event_source_name": "",
    "event_id": 3004,
    "version": 1,
    "level": 2,
    "task": 1,
    "opcode": 104,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T02:03:39.834684+00:00",
    "event_record_id": 2826,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0002-799D-F2E43710DA01"
    },
    "execution": {
      "process_id": 18308,
      "thread_id": 9372
    },
    "channel": "Microsoft-Windows-CodeIntegrity/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FileNameLength": 87,
    "FileNameBuffer": "\\Device\\HarddiskVolume4\\Program Files\\Avira\\Endpoint Protection SDK\\amsi\\x64\\avamsi.dll",
    "SecureRequired": "0x80000000",
    "RequestedSigningLevel": 7,
    "ProcessNameLength": 81,
    "ProcessNameBuffer": "\\Device\\HarddiskVolume4\\Program Files\\Avira\\Endpoint Protection SDK\\wsc_agent.exe"
  },
  "message": ""
}

References #