Event ID 3033 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Level: Error
Collection Priority: Recommended (Palantir, others)
Task: CreateSection
Opcode: PolicyFailure

Description

Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.

Message #

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.

Fields #

Name	Description
`FileNameLength` UInt16	—
`FileNameBuffer` UnicodeString	—
`ProcessNameLength` UInt16	—
`ProcessNameBuffer` UnicodeString	—
`RequestedPolicy` UInt8	—
`ValidatedPolicy` UInt8	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-CodeIntegrity",
    "guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
    "event_source_name": "",
    "event_id": 3033,
    "version": 0,
    "level": 2,
    "task": 1,
    "opcode": 111,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:54:48.422937+00:00",
    "event_record_id": 2821,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0000-694C-EEE43710DA01"
    },
    "execution": {
      "process_id": 16400,
      "thread_id": 16044
    },
    "channel": "Microsoft-Windows-CodeIntegrity/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FileNameLength": 70,
    "FileNameBuffer": "\\Device\\HarddiskVolume4\\Program Files\\Avast Software\\Avast\\aswAMSI.dll",
    "ProcessNameLength": 52,
    "ProcessNameBuffer": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "RequestedPolicy": 12,
    "ValidatedPolicy": 1,
    "Status": 3221226536
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation source low: Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.↳ also matches:Event ID 3034: Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3033 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.

Description

Message #

Fields #

Example Event #

Detection Rules #

Sigma # view in reference

Related Events #

References #