Message

Process '%2' (PID %5) would have been blocked from generating dynamic code.

Fields

Example Event

system:
  provider: Microsoft-Windows-Security-Mitigations
  guid: FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF
  event_source_name: ''
  event_id: 1
  version: 0
  level: 0
  task: 1
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-04T14:07:23.788203+00:00'
  event_record_id: 7
  correlation: {}
  execution:
    process_id: 4808
    thread_id: 4432
  channel: Microsoft-Windows-Security-Mitigations/KernelMode
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
  ProcessPathLength: 60
  ProcessPath: \Device\HarddiskVolume2\Windows\System32\inetsrv\InetMgr.exe
  ProcessCommandLineLength: 42
  ProcessCommandLine: '"C:\Windows\system32\inetsrv\InetMgr.exe" '
  CallingProcessId: 4808
  CallingProcessCreateTime: '2022-04-04T14:07:23.009253Z'
  CallingProcessStartKey: 1407374883554550
  CallingProcessSignatureLevel: 0
  CallingProcessSectionSignatureLevel: 0
  CallingProcessProtection: 0
  CallingThreadId: 4432
  CallingThreadCreateTime: '2022-04-04T14:07:23.009255Z'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Process '%2' (PID %5) was blocked from generating dynamic code.

Fields

Example Event

system:
  provider: Microsoft-Windows-Security-Mitigations
  guid: FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF
  event_source_name: ''
  event_id: 2
  version: 0
  level: 3
  task: 1
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:01:34.932541+00:00'
  event_record_id: 88
  correlation: {}
  execution:
    process_id: 11664
    thread_id: 10404
  channel: Microsoft-Windows-Security-Mitigations/KernelMode
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  ProcessPathLength: 59
  ProcessPath: \Device\HarddiskVolume4\Program Files\TeamViewer\tv_x64.exe
  ProcessCommandLineLength: 192
  ProcessCommandLine: '"C:\Program Files\TeamViewer\tv_x64.exe" --action installpnpdriver
    --inf "C:\Program Files\TeamViewer\x64\TVVirtualMonitorDriver.inf" --log "C:\Program
    Files\TeamViewer\TeamViewer15_Hooks.log"'
  CallingProcessId: 11664
  CallingProcessCreateTime: '2023-11-06T01:01:34.836839Z'
  CallingProcessStartKey: 3659174697240700
  CallingProcessSignatureLevel: 2
  CallingProcessSectionSignatureLevel: 2
  CallingProcessProtection: 0
  CallingThreadId: 10404
  CallingThreadCreateTime: '2023-11-06T01:01:34.836843Z'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'.

Fields

Example Event

system:
  provider: Microsoft-Windows-Security-Mitigations
  guid: FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF
  event_source_name: ''
  event_id: 3
  version: 0
  level: 0
  task: 2
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-10-26T04:19:22.802481+00:00'
  event_record_id: 6
  correlation: {}
  execution:
    process_id: 2524
    thread_id: 452
  channel: Microsoft-Windows-Security-Mitigations/KernelMode
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
event_data:
  ProcessPathLength: 52
  ProcessPath: \Device\HarddiskVolume4\Windows\System32\spoolsv.exe
  ProcessCommandLineLength: 31
  ProcessCommandLine: C:\Windows\System32\spoolsv.exe
  CallingProcessId: 2524
  CallingProcessCreateTime: '2023-10-26T04:17:19.791140Z'
  CallingProcessStartKey: 281474976710715
  CallingProcessSignatureLevel: 2
  CallingProcessSectionSignatureLevel: 2
  CallingProcessProtection: 0
  CallingThreadId: 452
  CallingThreadCreateTime: '2023-10-26T04:19:20.206505Z'
  ChildImagePathNameLength: 32
  ChildImagePathName: C:\Windows\SysWOW64\regsvr32.exe
  ChildCommandLineLength: 73
  ChildCommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\PrintConfig.dll"
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'.

Fields

Message

Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'.

Fields

Message

Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'.

Fields

Message

Process '%2' (PID %5) would have been blocking from loading a binary from a remote share.

Fields

Message

Process '%2' (PID %5) was blocked from loading a binary from a remote share.

Fields

Message

Process '%2' (PID %5) would have been blocked from making system calls to Win32k.sys.

Fields

Message

Process '%2' (PID %5) was blocked from making system calls to Win32k.sys.

Fields

Example Event

system:
  provider: Microsoft-Windows-Security-Mitigations
  guid: FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF
  event_source_name: ''
  event_id: 10
  version: 0
  level: 3
  task: 5
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:55:30.233087+00:00'
  event_record_id: 194
  correlation: {}
  execution:
    process_id: 17736
    thread_id: 9464
  channel: Microsoft-Windows-Security-Mitigations/KernelMode
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  ProcessPathLength: 65
  ProcessPath: \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe
  ProcessCommandLineLength: 412
  ProcessCommandLine: '"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc
    --channel=7928 -childID 13 -isForBrowser -prefsHandle 7924 -prefMapHandle 7272
    -prefsLen 37923 -prefMapSize 235045 -jsInitHandle 1588 -jsInitLen 235336 -parentBuildID
    20231019122658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser"
    - {9095c7bc-c09b-4e88-a55a-1b4a7ff727a7} 4148 "\\.\pipe\gecko-crash-server-pipe.4148"
    22025387bd0 tab'
  CallingProcessId: 17736
  CallingProcessCreateTime: '2023-11-06T01:55:29.635202Z'
  CallingProcessStartKey: 3659174697241340
  CallingProcessSignatureLevel: 2
  CallingProcessSectionSignatureLevel: 2
  CallingProcessProtection: 0
  CallingThreadId: 9464
  CallingThreadCreateTime: '2023-11-06T01:55:29.635208Z'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'.

Fields

Sigma Rules

• Microsoft Defender Blocked from Loading Unsigned DLL
  Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
• Unsigned Binary Loaded From Suspicious Location
  Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Message

Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'.

Fields

Example Event

system:
  provider: Microsoft-Windows-Security-Mitigations
  guid: FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF
  event_source_name: ''
  event_id: 12
  version: 0
  level: 3
  task: 6
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:51:38.699135+00:00'
  event_record_id: 190
  correlation: {}
  execution:
    process_id: 18848
    thread_id: 20656
  channel: Microsoft-Windows-Security-Mitigations/KernelMode
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  ProcessPathLength: 74
  ProcessPath: \Device\HarddiskVolume4\Program Files\Google\Chrome\Application\chrome.exe
  ProcessCommandLineLength: 475
  ProcessCommandLine: '"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer
    --disable-nacl --origin-trial-disabled-features=WebGPU --disable-gpu-compositing
    --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation
    --renderer-client-id=52 --time-ticks-at-unix-epoch=-1699223515372207 --launch-time-ticks=11971985687
    --mojo-platform-channel-handle=7792 --field-trial-handle=1832,i,15435703333515679192,1539963582152160407,262144
    /prefetch:1'
  ProcessId: 18848
  ProcessCreateTime: '2023-11-06T01:51:27.394536Z'
  ProcessStartKey: 3659174697241317
  ProcessSignatureLevel: 8
  ProcessSectionSignatureLevel: 8
  ProcessProtection: 0
  TargetThreadId: 20656
  TargetThreadCreateTime: '2023-11-06T01:51:27.394551Z'
  RequiredSignatureLevel: 8
  SignatureLevel: 4
  ImageNameLength: 51
  ImageName: \Program Files\Malwarebytes\Anti-Malware\mbae64.dll
message: ''

Sigma Rules

• Microsoft Defender Blocked from Loading Unsigned DLL
  Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
• Unsigned Binary Loaded From Suspicious Location
  Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.

Fields

Message

Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-14-registryevent-key-and-value-rename

Message

Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.

Fields

Message

Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.

Fields

Message

Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'.

Fields

Message

Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'.

Fields

Message

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected

Message

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected

Message

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected

Message

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields

Message

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-file-delete-archived

Message

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager

Message

Process '%2' (PID %5) has encountered a shadow stack return address mismatch. The process will be allowed to continue execution.

Return instruction executed from module '%12'.
Attempting to return to module '%14'.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager

Message

Process '%2' (PID %5) has encountered a shadow stack return address mismatch. The process will be terminated.

Return instruction executed from module '%12'.
Attempting to return to module '%14'.

Fields

Message

Process '%2' (PID %5) would have been blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable

Message

Process '%2' (PID %5) was blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-28-fileblockshredding

Message

Process '%2' (PID %5) would have been blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.
Process requires binaries to also contain exception handling continuation data: %15

Binary path: %12
Binary compatible with shadow stacks: %13
Binary contains exception handling continuation data: %14

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-29-fileexecutabledetected

Message

Process '%2' (PID %5) was blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.
Process requires binaries to also contain exception handling continuation data: %15

Binary path: %12
Binary compatible with shadow stacks: %13
Binary contains exception handling continuation data: %14

Fields

Message

Process '%2' (PID %5) would have been blocked from following an untrusted redirection: 

Binary path: %2
Arguments: %4
Redirection Type: %11
Operation Path: %13
Impersonating: %14

Fields

Message

Process '%2' (PID %5) was blocked from following an untrusted redirection: 

Binary path: %2
Arguments: %4
Redirection Type: %11
Operation Path: %13
Impersonating: %14

Fields

Message

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be allowed to continue execution because: %5.

Return instruction executed from module '%2'.
(Instruction address: %6, module offset: %7)

Attempting to return to module '%4'.
(Instruction address: %9, module offset: %10)

Fields

Message

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be terminated.

Return instruction executed from module '%2'.
(Instruction address: %6, module offset: %7)

Attempting to return to module '%4'.
(Instruction address: %9, module offset: %10)

Fields

Message

Process '%2' (PID %5) would have been blocked from making the NtFsControlFile system call.

Fields

Message

Process '%2' (PID %5) was blocked from making the NtFsControlFile system call.

Fields