Event ID 12 — Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Level: Warning
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES

Description

Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

Message #

Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'.

Fields #

Name	Description
`ProcessPathLength` UInt16	—
`ProcessPath` UnicodeString	—
`ProcessCommandLineLength` UInt16	—
`ProcessCommandLine` UnicodeString	—
`ProcessId` UInt32	—
`ProcessCreateTime` FILETIME	—
`ProcessStartKey` UInt64	—
`ProcessSignatureLevel` UInt8	—
`ProcessSectionSignatureLevel` UInt8	—
`ProcessProtection` UInt8	—
`TargetThreadId` UInt32	—
`TargetThreadCreateTime` FILETIME	—
`RequiredSignatureLevel` UInt8	—
`SignatureLevel` UInt8	—
`ImageNameLength` UInt16	—
`ImageName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 3,
    "task": 6,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:51:38.699135+00:00",
    "event_record_id": 190,
    "correlation": {},
    "execution": {
      "process_id": 18848,
      "thread_id": 20656
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ProcessPathLength": 74,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
    "ProcessCommandLineLength": 475,
    "ProcessCommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --disable-nacl --origin-trial-disabled-features=WebGPU --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --time-ticks-at-unix-epoch=-1699223515372207 --launch-time-ticks=11971985687 --mojo-platform-channel-handle=7792 --field-trial-handle=1832,i,15435703333515679192,1539963582152160407,262144 /prefetch:1",
    "ProcessId": 18848,
    "ProcessCreateTime": "2023-11-06T01:51:27.394536Z",
    "ProcessStartKey": 3659174697241317,
    "ProcessSignatureLevel": 8,
    "ProcessSectionSignatureLevel": 8,
    "ProcessProtection": 0,
    "TargetThreadId": 20656,
    "TargetThreadCreateTime": "2023-11-06T01:51:27.394551Z",
    "RequiredSignatureLevel": 8,
    "SignatureLevel": 4,
    "ImageNameLength": 51,
    "ImageName": "\\Program Files\\Malwarebytes\\Anti-Malware\\mbae64.dll"
  },
  "message": ""
}

Detection Patterns #

Persistence: DLL

Security-Mitigations Event ID 11: Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.OREvent ID 12: Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

2 rules

Sigma

Microsoft Defender Blocked from Loading Unsigned DLL (source)

Bhabesh Raj

Unsigned Binary Loaded From Suspicious Location (source)

Nasreddine Bencherchali (Nextron Systems)

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline