Event ID 1 — Process 'ProcessPath' (PID CallingProcessId) would have been blocked from generating dynamic code.
Description
Process 'ProcessPath' (PID CallingProcessId) would have been blocked from generating dynamic code.
Message #
Fields #
| Name | Description |
|---|---|
ProcessPathLength UInt16 | — |
ProcessPath UnicodeString | — |
ProcessCommandLineLength UInt16 | — |
ProcessCommandLine UnicodeString | — |
CallingProcessId UInt32 | — |
CallingProcessCreateTime FILETIME | — |
CallingProcessStartKey UInt64 | — |
CallingProcessSignatureLevel UInt8 | — |
CallingProcessSectionSignatureLevel UInt8 | — |
CallingProcessProtection UInt8 | — |
CallingThreadId UInt32 | — |
CallingThreadCreateTime FILETIME | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Mitigations",
"guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 0,
"task": 1,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-04-04T14:07:23.788203+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 4808,
"thread_id": 4432
},
"channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-21-1958040314-2592322477-2606035944-500"
}
},
"event_data": {
"ProcessPathLength": 60,
"ProcessPath": "\\Device\\HarddiskVolume2\\Windows\\System32\\inetsrv\\InetMgr.exe",
"ProcessCommandLineLength": 42,
"ProcessCommandLine": "\"C:\\Windows\\system32\\inetsrv\\InetMgr.exe\" ",
"CallingProcessId": 4808,
"CallingProcessCreateTime": "2022-04-04T14:07:23.009253Z",
"CallingProcessStartKey": 1407374883554550,
"CallingProcessSignatureLevel": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessProtection": 0,
"CallingThreadId": 4432,
"CallingThreadCreateTime": "2022-04-04T14:07:23.009255Z"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline