Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/palantir/exploitguard

Documentation and supporting script sample for Windows Exploit Guard
https://github.com/palantir/exploitguard

octo-correct-managed

Last synced: about 2 months ago
JSON representation

Documentation and supporting script sample for Windows Exploit Guard

Awesome Lists containing this project

README 

        
# Exploit Protection Event Documentation



_Last updated: 10/15/19_  

_Research by: Matthew Graeber @ SpecterOps_  

  

Associated Blog Post: https://medium.com/palantir/assessing-the-effectiveness-of-a-new-security-data-source-windows-defender-exploit-guard-860b69db2ad2



One of the most valuable features of WDEG are the Windows event logs generated when a security feature is triggered. While documentation on configuration (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection) and deployment (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml) of WDEG is readily accessible, documentation on what events WDEG supports, and the context around them, does not exist. The Palantir CIRT is of the opinion that the value of an event source is realized only upon documenting each field, applying context around the event, and leveraging these as discrete detection capabilities.



WDEG supplies events from multiple event sources (ETW providers) and destinations (event logs). In the documentation that follows, events are organized by their respective event destination. Additionally, many events use the same event template and are grouped accordingly. Microsoft does not currently document these events and context was acquired by utilizing documented ETW methodology (https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63), reverse engineering, and with support from security researchers (James Forshaw (https://twitter.com/tiraniddo) and Alex Ionescu (https://twitter.com/aionescu)) generously answering questions on Windows internals.



## Event Log: Microsoft-Windows-Security-Mitigations/KernelMode  



### Events Consisting of Process Context  



**Event ID 1 - Arbitrary Code Guard (ACG) Auditing**  

Message: "Process '%2' (PID %5) would have been blocked from generating dynamic code."  

Level: 0 (Log Always)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitDynamicCode  

Description: _ACG_ (https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/) prevents/logs attempted permission modification of code pages (making a page writeable, specifically) and prevents unsigned code pages from being created.  

  

**Event ID 2 - Arbitrary Code Guard (ACG) Enforcement**  

Message: "Process '%2' (PID %5) was blocked from generating dynamic code."  

Level: 3 (Warning)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitDynamicCode  



**Event ID 7 - Audit: Log Remote Image Loads**  

Message: "Process '%2' (PID %5) would have been blocking from loading a binary from a remote share."  

Level: 0 (Log Always)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitRemoteImageMap  

Description: Prevents/logs the loading of images from remote UNC/WebDAV shares, a common _exploitation/dll hijack primitive used_ (https://www.rapid7.com/db/modules/exploit/windows/browser/ms10_046_shortcut_icon_dllloader) to load subsequent attacker code from an attacker-controlled location.  



**Event ID 8 - Enforce: Block Remote Image Loads**  

Message: "Process '%2' (PID %5) was blocked from loading a binary from a remote share."  

Level: 3 (Warning)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitRemoteImageMap  



**Event ID 9 - Audit: Log Win32K System Call Table Use**  

Message: "Process '%2' (PID %5) would have been blocked from making system calls to Win32k.sys."  

Level: 0 (Log Always)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitWin32kSystemCalls  

Description: A user-mode GUI thread attempted to access the Win32K syscall table. Win32K syscalls are used frequently to _trigger elevation of privilege_ (https://www.slideshare.net/PeterHlavaty/rainbow-over-the-windows-more-colors-than-you-could-expect) and _sandbox escape vulnerabilities_ (https://improsec.com/tech-blog/win32k-system-call-filtering-deep-dive). For processes that do not intend to perform GUI-related tasks, Win32K syscall auditing/enforcement can be valuable.  



**Event ID 10 - Enforce: Prevent Win32K System Call Table Use**  

Message: "Process '%2' (PID %5) was blocked from making system call  

s to Win32k.sys."  

Level: 3 (Warning)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitWin32kSystemCalls  



**Event Properties**  

_ProcessPathLength_  

The length, in characters, of the string in the ProcessPath field.  



_ProcessPath_  

The full path (represented as a device path) of the host process binary that triggered the event.  



_ProcessCommandLineLength_  

The length, in characters, of the string in the ProcessCommandLine field.  



_ProcessCommandLine_  

The full command line of the process that triggered the event.  



_CallingProcessId_  

The process ID of the process that triggered the event.  



_CallingProcessCreateTime_  

The creation time of the process that triggered the event.  



_CallingProcessStartKey_  

This field represents a locally unique identifier for the process. It was designed as a more robust version of process ID that is resistant to being repeated. Process start key was introduced in Windows 10 1507 and is derived from _KUSER_SHARED_DATA.BootId and EPROCESS.SequenceNumber, both of which increment and are unlikely to overflow. It is an unsigned 64-bit value that is derived using the following logic: (BootId << 30) | SequenceNumber. Kernel drivers can retrieve the process start key for a process by calling the PsGetProcessStartKey export in ntoskrnl.exe. A process start key can also be _derived from user-mode_ (https://gist.github.com/mattifestation/3c2e8f80ca1fe1a7e276ee2607da8d18).  



_CallingProcessSignatureLevel_  

The signature level of the process executable. This is the validated signing level for the process when it was started. This field is populated from EPROCESS.SignatureLevel. Signature level can be any of the following values:  



* 0x0 - Unchecked

* 0x1 - Unsigned

* 0x2 - Enterprise

* 0x3 - Custom1

* 0x4 - Authenticode

* 0x5 - Custom2

* 0x6 - Store

* 0x7 - Antimalware

* 0x8 - Microsoft

* 0x9 - Custom4

* 0xA - Custom5

* 0xB - DynamicCodegen

* 0xC - Windows

* 0xD - WindowsProtectedProcessLight

* 0xE - WindowsTcb

* 0xF - Custom6



_CallingProcessSectionSignatureLevel_

The section signature level is the default required signature level for any modules that get loaded into the process. The same values as ProcessSignatureLevel are supported. This field is populated from EPROCESS.SectionSignatureLevel. The following are some example process and process section signature levels that you might realistically encounter:  



1. ProcessSignatureLevel: 8, ProcessSectionSignatureLevel: 6. This indicates that a Microsoft-signed host process will only load images with a Store signature at a minimum. Thanks to Alex Ionescu for pointing out this example scenario.  

2. ProcessSignatureLevel: 2, ProcessSectionSignatureLevel: 2. This indicates that both process and module loading are dictated by Windows Defender Application Control (WDAC) policy.  

3. ProcessSignatureLevel: 0, ProcessSectionSignatureLevel: 0. This would indicate that signature level enforcement for process and module loading is not enforced.  



_CallingProcessProtection_  

The type of protected process and the protected process signer. This field is populated from EPROCESS.Protection and corresponds to the PS_PROTECTION structure. These values are well documented in Windows Internals: Volume 7.  



The first 3 bits contain the type of protected process (refers to the low nibble of the value):  



* PsProtectedTypeNone - 0  

* PsProtectedTypeProtectedLight - 1  

* PsProtectedTypeProtected - 2  



The top 4 bits contain the protected process signer (refers to the high nibble of the value):  



* PsProtectedSignerNone - 0

* PsProtectedSignerAuthenticode - 1

* PsProtectedSignerCodeGen - 2

* PsProtectedSignerAntimalware - 3

* PsProtectedSignerLsa - 4

* PsProtectedSignerWindows - 5

* PsProtectedSignerWinTcb - 6

* PsProtectedSignerWinSystem - 7

* PsProtectedSignerApp - 8



Here are some example process protection values:  



* 0x31 - A PPL, antimalware process

* 0x62 - A protected, WinTCB process



_CallingThreadId_  

The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread.  



_CallingThreadCreateTime_  

The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime.  



### Child Process Creation Events  



**Event ID 3 - Audit: Child Process Creation**  

Message: “Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'."  

Level: 0 (Log Always)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitChildProcessCreation  

Description: log/prevents child process creation  



**Event ID 4 - Enforce: Prevent Child Process Creation**  

Message: “Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'."  

Level: 3 (Warning)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitChildProcessCreation  



**Event Properties**  

_ProcessPathLength_  

The length, in characters, of the string in the ProcessPath field.  



_ProcessPath_  

The full path (represented as a device path) of the host process binary that triggered the event.  



_ProcessCommandLineLength_  

The length, in characters, of the string in the ProcessCommandLine field.  



ProcessCommandLine  

The full command line of the process that triggered the event.  



_CallingProcessId_  

The process ID of the process that triggered the event.  



_CallingProcessCreateTime_  

The creation time of the process that triggered the event.  



_CallingProcessStartKey_  

See section above.   



_CallingProcessSignatureLevel_  

See section above.  



_CallingProcessSectionSignatureLevel_  

See section above.  



_CallingProcessProtection_  

See section above.  



_CallingThreadId_  

The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread.  



_CallingThreadCreateTime_  

The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime.  



_ChildImagePathNameLength_  

The length, in characters, of the string in the ChildImagePathName field.  



_ChildImagePathName_  

The path to the image that is attempting to load.  



_ChildCommandLineLength_  

The length, in characters, of the string in the ChildCommandLine field.  



_ChildCommandLine_  

The command line of the image that is attempting to load.  



### Low Integrity Image Load Events



**Event ID 5 - Audit: low integrity image load**  

Message: “Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'."  

Level: 0 (Log Always)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitLowILImageMap  



**Event ID 6 - Enforce: block low integrity image load**  

Message: “Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'."  

Level: 3 (Warning)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitLowILImageMap  



**Event Properties**

_ProcessPathLength_  

The length, in characters, of the string in the ProcessPath field.  



_ProcessPath_  

The full path (represented as a device path) of the host process binary that triggered the event.  



_ProcessCommandLineLength_  

The length, in characters, of the string in the ProcessCommandLine field.  



_ProcessCommandLine_  

The full command line of the process that triggered the event.  



_ProcessId_  

The process ID of the process that triggered the event.  



_ProcessCreateTime_  

The creation time of the process that triggered the event.  



_ProcessStartKey_  

See section above.  



_ProcessSignatureLevel_  

See section above.   



_ProcessSectionSignatureLevel_  

See section above.  



_ProcessProtection_  

See section above.  



_TargetThreadId_  

The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread.   



_TargetThreadCreateTime_  

The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime.  



_ImageNameLength_  

The length, in characters, of the string in the ImageName field.  



_ImageName_  

The name of the image that attempted to load with low integrity.  



### Non-Microsoft Binary Load Events  



**Event ID 11 - Audit: A non-Microsoft-signed binary would have been loaded.**  

Message: “Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'."  

Level: 0 (Log Always)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitNonMicrosoftBinaries  

Description: This event is logged any time a PE is loaded into a process that is not Microsoft-signed.  



**Event ID 12 - Enforce: A non-Microsoft-signed binary was prevented from loading.**  

Message: “Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'."  

Level: 3 (Warning)  

Function that generates the event: ntoskrnl!EtwTimLogProhibitNonMicrosoftBinaries  



**Event Properties**  

_ProcessPathLength_  

The length, in characters, of the string in the ProcessPath field.  



_ProcessPath_  

The full path (represented as a device path) of the host process binary into which a non-MSFT binary attempted to load.  



_ProcessCommandLineLength_  

The length, in characters, of the string in the ProcessCommandLine field.  



_ProcessCommandLine_  

The full command line of the process into which a non-MSFT binary attempted to load.  



_ProcessId_  

The process ID of the process into which a non-MSFT binary attempted to load.  



_ProcessCreateTime_  

The creation time of the process into which a non-MSFT binary attempted to load.  



_ProcessStartKey_  

See section above.  



_ProcessSignatureLevel_  

See section above.   



_ProcessSectionSignatureLevel_  

See section above.  



_ProcessProtection_  

See section above.  



_TargetThreadId_  

The thread ID of the thread responsible for attempting to load the non-MSFT binary. This field is populated from ETHREAD.Cid.UniqueThread.   



_TargetThreadCreateTime_  

The creation time of the thread responsible for attempting to load the non-MSFT binary. This field is populated from ETHREAD.CreateTime.  



_RequiredSignatureLevel_  

The minimum signature level being imposed by WDEG. The same values as ProcessSignatureLevel are supported. This value will either be 8 in the case of Microsoft-signed binaries only or 6 in the case where Store images are permitted.  



_SignatureLevel_  

The validated signature level of the image present in the ImageName field. The same values as ProcessSignatureLevel are supported. A value less than RequiredSignatureLevel indicates the reason why EID 11/12 was logged in the first place. When this event is logged, SignatureLevel will always be less than RequiredSignatureLevel.  



_ImageNameLength_  

The length, in characters, of the string in the ImageName field.  



_ImageName_  

The full path to the image that attempted to load into the host process.  



## Event Log: Microsoft-Windows-Security-Mitigations/UserMode



### Export/Import Address Table Access Filtering (EAF/IAF) Events



**Event ID 13 - EAF mitigation audited**  

Message: “Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'."  

Level: 0 (Log Always)  

Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage  

Description: The export address table was accessed by code that is not backed by an image on disk - i.e. injected shellcode is the likely culprit for access the EAT.  



**Event ID 14 - EAF mitigation enforced**  

“Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'."  

Level: 3 (Warning)  

Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage  



**Event ID 15 - EAF+ mitigation audited**  

Message: “Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'."  

Level: 0 (Log Always)  

Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage  

Description: The export address table was accessed by code that is not backed by an image on disk and via many other improved heuristics - i.e. injected shellcode is the likely culprit for access the EAT.  



**Event ID 16 - EAF+ mitigation enforced**  

Message: “Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'."  

Level: 3 (Warning)  

Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage  



**Event ID 17 - IAF mitigation audited**  

Message: “Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'."  

Level: 0 (Log Always)  

Function that generates the event: PayloadRestrictions!MitLibProcessIAFGuardPage  

Description: The import address table was accessed by code that is not backed by an image on disk.  



**Event ID 18 - IAF mitigation enforced**  

Message: “Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'."  

Level: 3 (Warning)  

Function that generates the event: PayloadRestrictions!MitLibProcessIAFGuardPage  



**Event Properties**  

_Subcode_  

Specifies a value in the range of 1-4 that indicates how how the event was triggered.  



* 1 - Indicates that the classic EAF mitigation was triggered. This subcode is used if the instruction pointer address used to access the EAF does not map to a DLL that was loaded from disk (ntdll!_RtlPcToFileHeader_ (https://docs.microsoft.com/en-us/windows/desktop/api/winnt/nf-winnt-rtlpctofileheader) is used to make this determination).

* 2 - Indicates that the stack registers ([R|S]P and [R|E]BP) fall outside the stack extent of the current thread. This is one of the EAF+ mitigations.

* 3 - Indicates that a memory reader gadget was used to access the EAF. PayloadRestrictions.dll statically links a disassembler library that attempts to make this determination. This is one of the EAF+ mitigations.

* 4 - Indicates that the IAF mitigation triggered. This also implies that the APIName property will be populated.



_ProcessPath_  

The full path of the process in which the EAF/IAF mitigation triggered.  



_ProcessId_  

The process ID of the process in which the EAF/IAF mitigation triggered.  



_ModuleFullPath_  

The full path of the module that caused the mitigation to trigger. This value will be empty if the subcode value is 1.  



_ModuleBase_  

The base address of the module that caused the mitigation to trigger. This value will be 0 if the subcode value is 1.  



_ModuleAddress_  

The instruction pointer address ([R|E]IP) upon the mitigation triggering. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation.  



_MemAddress_  

The virtual address that was accessed within a protected module that triggered a guard page exception. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation.  



_MemModuleFullPath_  

The full path of the protected module that was accessed. This string is obtained from LDR_DATA_TABLE_ENTRY.FullDllName in the PEB. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation.  



_MemModuleBase_  

The base address of the protected module that was accessed.  



_APIName_  

The blacklisted export function name that was accessed. This property is only applicable to the IAF mitigation. The following APIs are included in the blacklist: GetProcAddressForCaller, LdrGetProcedureAddress, LdrGetProcedureAddressEx, CreateProcessAsUserA, CreateProcessAsUserW, GetModuleHandleA, GetModuleHandleW, RtlDecodePointer, DecodePointer.  



_ProcessStartTime_  

The creation time of the process specified in ProcessPath/ProcessId. The process time is obtained by calling _NtQueryInformationProcess_ (https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess) with ProcessTimes as the ProcessInformationClass argument. The process time is obtained from the CreateTime field of the KERNEL_USER_TIMES structure.  



_ThreadId_  

The thread ID of the thread that generated the event.  



### Return-Oriented Programming (ROP) Events



**Event ID 19 - ROP mitigation audited: Stack Pivot**  

Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.  

Level: 0 (Log Always)  

Function that generates the event: PayloadRestrictions!MitLibNotifyStackPivotViolation  

Description: A ROP stack pivot was detection by observing that the stack pointer fell outside the stack extent (stack base and stack limit) for the current thread.  



**Event ID 20 - ROP mitigation enforced: Stack Pivot**  

Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.  

Level: 3 (Warning)  

Function that generates the event: PayloadRestrictions!MitLibNotifyStackPivotViolation  



**Event ID 21 - ROP mitigation audited: Caller Checks**  

Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.  

Level: 0 (Log Always)  

Function that generates the event: PayloadRestrictions!MitLibRopCheckCaller  

Description: This event is logged if one of the functions listed in the HookedAPI section below was not called with a call instruction - e.g. called with via a RET instruction.  



**Event ID 22 - ROP mitigation enforced: Caller Checks**  

Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.  

Level: 3 (Warning)  

Function that generates the event: PayloadRestrictions!MitLibRopCheckCaller  



**Event ID 23 - ROP mitigation audited: Simulate Execution Flow**  

Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.  

Level: 0 (Log Always)  

Function that generates the event: PayloadRestrictions!MitLibRopCheckSimExecFlow  

Description: The simulate execution flow mitigation simulates continued execution of any of the functions listed in HookedAPI section and if any of the return logic along the stack resembles ROP behavior, this event is triggered.  



**Event ID 24 - ROP mitigation enforced: Simulate Execution Flow**  

Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.  

Level: 3 (Warning)  

Function that generates the event: PayloadRestrictions!MitLibRopCheckSimExecFlow  



**Event Properties**  

_Subcode_  

Specifies a value in the range of 5-7 that indicates how how the event was triggered.  



* 5 - Indicates that the stack pivot ROP mitigation was triggered.

* 6 - Indicates that the “caller checks" ROP mitigation was triggered.

* 7 - Indicates that the “simulate execution flow" ROP mitigation was triggered.



_ProcessPath_  

The full path of the process in which the ROP mitigation triggered.  



_ProcessId_  

The process ID of the process in which the ROP mitigation triggered.  



_HookedAPI_  

The name of the monitored API that triggered the event. The following hooked APIs are monitored: LoadLibraryA, LoadLibraryW, LoadLibraryExA, LoadLibraryExW, LdrLoadDll, VirtualAlloc, VirtualAllocEx, NtAllocateVirtualMemory, VirtualProtect, VirtualProtectEx, NtProtectVirtualMemory, HeapCreate, RtlCreateHeap, CreateProcessA, CreateProcessW, CreateProcessInternalA, CreateProcessInternalW, NtCreateUserProcess, NtCreateProcess, NtCreateProcessEx, CreateRemoteThread, CreateRemoteThreadEx, NtCreateThreadEx, WriteProcessMemory, NtWriteVirtualMemory, WinExec, LdrGetProcedureAddressForCaller, GetProcAddress, GetProcAddressForCaller, LdrGetProcedureAddress, LdrGetProcedureAddressEx, CreateProcessAsUserA, CreateProcessAsUserW, GetModuleHandleA, GetModuleHandleW, RtlDecodePointer, DecodePointer  



_ReturnAddress_  

I was unable to spend too much time reversing PayloadRestrictions.dll to how this property is populated but based on fired events and inference, this property indicates the return address for the current stack frame that triggered the ROP event. A return address that pointed to an address in the stack or to an address of another ROP gadget (a small sequence of instructions followed by a return instruction) would be considered suspicious.



_CalledAddress_  

This appears to be the address of the hooked, blacklisted API that was called by the potential ROP chain.  



_TargetAddress_  

This value appears to be the target call/jump address of the ROP gadget to which control was to be transferred via non-traditional means. The TargetAddress value is zero when the “simulate execution flow" ROP mitigation was triggered.  



_StackAddress_  

The stack address triggering the stack pivot ROP mitigation. This value only populated with the stack pivot ROP mitigation. The StackAddress value is zero when the “simulate execution flow" and “caller checks" ROP mitigations are triggered. When StackAddress is populated, it would indicate that the stack address falls outside the stack extent (NT_TIB StackBase/StackLimit range) for the current thread.  



_FrameAddress_  

This value is zeroed out in code so it is unclear what it’s intended purpose is.  



_ReturnAddressModuleFullPath_  

The full path of the module that is backed by the ReturnAddress property (via ntdll!RtlPcToFileHeader and ntdll!LdrGetDllFullName). If ReturnAddress is not backed by a disk-backed module, this property will be empty.  



_ProcessStartTime_  

The creation time of the process specified in ProcessPath/ProcessId. The process time is obtained by calling _NtQueryInformationProcess_ (https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess) with ProcessTimes as the ProcessInformationClass argument. The process time is obtained from the CreateTime field of the KERNEL_USER_TIMES structure.  



_ThreadId_  

The thread ID of the thread that generated the event.  



## Event Log: Microsoft-Windows-Win32k/Operational



**Event ID 260 - A GDI-based font not installed in the system fonts directory was prevented from being loaded**  

Message: “%1 attempted loading a font that is restricted by font loading policy.  

FontType: %2  

FontPath: %3  

Blocked: %4"  

Level: 0 (Log Always)  

Function that generates the event: win32kbase!EtwFontLoadAttemptEvent  

Description: This mitigation is detailed in _this blog post_ (http://blogs.360.cn/post/windows10_font_security_mitigations.html).  



**Event Properties**  

_SourceProcessName_  

Specifies the name of the process that attempted to load the font.  



_SourceType_  

Refers to an undocumented W32KFontSourceType enum that based on calls to win32kfull!ScrutinizeFontLoad can be any of the following values:  



* 0 - “LoadPublicFonts" - Supplied via win32kfull!bCreateSectionFromHandle ()

* 1 - “LoadMemFonts" - Supplied via win32kfull!PUBLIC_PFTOBJ::hLoadMemFonts

* 2 - “LoadRemoteFonts" - Supplied via win32kfull!PUBLIC_PFTOBJ::bLoadRemoteFonts

* 3 - “LoadDeviceFonts" - Supplied via win32kfull!DEVICE_PFTOBJ::bLoadFonts



_FontSourcePath_  

Specifies the path to the font that attempted to load.  



_Blocked_  

A value of 1 specifies that the font was blocked from loading. A value of 0 indicates that the font was allowed to load but was logged.  



### Event Log: System



**Event ID 5 - Control Flow Guard (CFG) Violation**  

Event source: Microsoft-Windows-WER-Diag  

Message: “CFG violation is detected."  

Level: 0 (Log Always)  

Function that generates the event: werfault!CTIPlugin::NotifyCFGViolation  

Description: A description of the CFG mitigation can be found _here_ (https://docs.microsoft.com/en-us/windows/desktop/SecBP/control-flow-guard).   Specific event field documentation could not be completed in a reasonable amount of time.  



### Event Properties  



_AppPath_  

_ProcessId_  

_ProcessStartTime_  

_Is64Bit_  

_CallReturnAddress_  

_CallReturnModName_  

_CallReturnModOffset_  

_CallReturnInstructionBytesLength_  

_CallReturnInstructionBytes_  

_CallReturnBaseAddress_  

_CallReturnRegionSize_  

_CallReturnState_  

_CallReturnProtect_  

_CallReturnType_  

_TargetAddress_  

_TargetModName_  

_TargetModOffset_  

_TargetInstructionBytesLength_  

_TargetInstructionBytes_  

_TargetBaseAddress_  

_TargetRegionSize_  

_TargetState_  

_TargetProtect_  

_TargetType_