Event ID 3023 — The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft.
Description
The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Blocked Driver Load With Revoked Certificate source high: Detects blocked load attempts of revoked drivers