Event ID 3032 — Code Integrity determined a revoked image FileNameBuffer is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: CreateSection
Opcode: RevokedImageLoaded

Description

Code Integrity determined a revoked image FileNameBuffer is loaded into the system. Check with the publisher to see if a new signed version of the image is available.

Message #

Code Integrity determined a revoked image %2 is loaded into the system.  Check with the publisher to see if a new signed version of the image is available.

Fields #

Name	Description
`FileNameLength` UInt16	—
`FileNameBuffer` UnicodeString	—
`SecureRequired` HexInt32	—
`RequestedSigningLevel` UInt8	—
`ProcessNameLength` UInt16	—
`ProcessNameBuffer` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CodeIntegrity - Revoked Image Loaded source high: Detects image load events with revoked certificates by code integrity.↳ also matches:Event ID 3035: Code Integrity determined a revoked image FileNameBuffer is loaded into the system.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3032 — Code Integrity determined a revoked image FileNameBuffer is loaded into the system.

Description

Message #

Fields #

Detection Rules #

Sigma # view in reference

Related Events #

References #