Event ID 3077 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Collection Priority: Recommended (Yamato Security, others)
Task: ValidateSIPolicy
Opcode: PolicyFailure

Description

Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity policy.

Message #

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy.

Fields #

Name	Description
`FileNameLength` UInt16	—
`File Name` UnicodeString	—
`ProcessNameLength` UInt16	—
`Process Name` UnicodeString	—
`Requested Signing Level` UInt8	—
`Validated Signing Level` UInt8	—
`Status` HexInt32	— NTSTATUS reference
`SHA1 Hash Size` UInt32	—
`SHA1 Hash` Binary	—
`SHA256 Hash Size` UInt32	—
`SHA256 Hash` Binary	—
`SHA1 Flat Hash Size` UInt32	—
`SHA1 Flat Hash` Binary	—
`SHA256 Flat Hash Size` UInt32	—
`SHA256 Flat Hash` Binary	—
`USN` UInt64	—
`SI Signing Scenario` UInt32	—
`PolicyNameLength` UInt16	—
`PolicyName` UnicodeString	—
`PolicyIDLength` UInt16	—
`PolicyID` UnicodeString	—
`PolicyHashSize` UInt32	—
`PolicyHash` Binary	—
`OriginalFileNameLength` UInt16	—
`OriginalFileName` UnicodeString	—
`InternalNameLength` UInt16	—
`InternalName` UnicodeString	—
`FileDescriptionLength` UInt16	—
`FileDescription` UnicodeString	—
`ProductNameLength` UInt16	—
`ProductName` UnicodeString	—
`FileVersion` AnsiString	—
`PolicyGUID` GUID	—
`UserWriteable` Boolean	—
`PackageFamilyNameLength` UInt16	—
`PackageFamilyName` UnicodeString	—
`FileName` UnicodeString	—
`ProcessName` UnicodeString	—
`RequestedSigningLevel` UInt8	—
`ValidatedSigningLevel` UInt8	—
`SHA1HashSize` UInt32	—
`SHA1Hash` Binary	—
`SHA256HashSize` UInt32	—
`SHA256Hash` Binary	—
`SHA1FlatHashSize` UInt32	—
`SHA1FlatHash` Binary	—
`SHA256FlatHashSize` UInt32	—
`SHA256FlatHash` Binary	—
`SISigningScenario` UInt32	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CodeIntegrity - Blocked Image/Driver Load For Policy Violation source high: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations