detection.wiki

Microsoft-Windows-CodeIntegrity › Event 3089

Event ID 3089 — Signature information for another event.

Provider
Microsoft-Windows-CodeIntegrity
Channel
Operational
Level
Informational
Collection Priority
Recommended (Yamato Security, others)
Task
CreateSection
Opcode
SignatureInformation

Description

Signature information for another event. Match using the Correlation Id.

Message #

Signature information for another event. Match using the Correlation Id.

Fields #

NameDescription
TotalSignatureCount UInt32
Signature UInt32
CacheState UInt8
Hash Size UInt32
Hash Binary
PageHash Boolean
SignatureType UInt8
ValidatedSigningLevel UInt8
VerificationError UInt8
Flags UInt32
PolicyBits UInt32
NotValidBefore FILETIME
NotValidAfter FILETIME
PublisherNameLength UInt16
PublisherName UnicodeString
IssuerNameLength UInt16
IssuerName UnicodeString
PublisherTBSHashSize UInt32
PublisherTBSHash Binary
IssuerTBSHashSize UInt32
IssuerTBSHash Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-CodeIntegrity",
    "guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
    "event_source_name": "",
    "event_id": 3089,
    "version": 2,
    "level": 4,
    "task": 1,
    "opcode": 130,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T02:03:39.834696+00:00",
    "event_record_id": 2828,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0002-799D-F2E43710DA01"
    },
    "execution": {
      "process_id": 18308,
      "thread_id": 9372
    },
    "channel": "Microsoft-Windows-CodeIntegrity/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TotalSignatureCount": 2,
    "Signature": 1,
    "CacheState": 0,
    "Hash Size": 32,
    "Hash": "CDFCFB06A61D9DEFD635A74F71DFB6BD5B3531EE7BAD61D942E259156C5F9746",
    "PageHash": false,
    "SignatureType": 1,
    "ValidatedSigningLevel": 8,
    "VerificationError": 18,
    "Flags": 0,
    "PolicyBits": 2050,
    "NotValidBefore": "2023-04-06T19:16:30.000000Z",
    "NotValidAfter": "2024-04-03T19:16:30.000000Z",
    "PublisherNameLength": 50,
    "PublisherName": "Microsoft Windows Hardware Compatibility Publisher",
    "IssuerNameLength": 47,
    "IssuerName": "Microsoft Windows Third Party Component CA 2014",
    "PublisherTBSHashSize": 32,
    "PublisherTBSHash": "0F06228DE7BACFBF65D426DF80C4E40C5ABFE5A2A402E6221DEA03B18897DE2B",
    "IssuerTBSHashSize": 32,
    "IssuerTBSHash": "D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE"
  },
  "message": ""
}

References #