├── LICENSE ├── README.md └── configureBaseMachine.ps1 /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Palantir Technologies 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exploit Protection Event Documentation 2 | 3 | _Last updated: 10/15/19_ 4 | _Research by: Matthew Graeber @ SpecterOps_ 5 | 6 | Associated Blog Post: https://medium.com/palantir/assessing-the-effectiveness-of-a-new-security-data-source-windows-defender-exploit-guard-860b69db2ad2 7 | 8 | One of the most valuable features of WDEG are the Windows event logs generated when a security feature is triggered. While documentation on configuration (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection) and deployment (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml) of WDEG is readily accessible, documentation on what events WDEG supports, and the context around them, does not exist. The Palantir CIRT is of the opinion that the value of an event source is realized only upon documenting each field, applying context around the event, and leveraging these as discrete detection capabilities. 9 | 10 | WDEG supplies events from multiple event sources (ETW providers) and destinations (event logs). In the documentation that follows, events are organized by their respective event destination. Additionally, many events use the same event template and are grouped accordingly. Microsoft does not currently document these events and context was acquired by utilizing documented ETW methodology (https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63), reverse engineering, and with support from security researchers (James Forshaw (https://twitter.com/tiraniddo) and Alex Ionescu (https://twitter.com/aionescu)) generously answering questions on Windows internals. 11 | 12 | ## Event Log: Microsoft-Windows-Security-Mitigations/KernelMode 13 | 14 | ### Events Consisting of Process Context 15 | 16 | **Event ID 1 - Arbitrary Code Guard (ACG) Auditing** 17 | Message: "Process '%2' (PID %5) would have been blocked from generating dynamic code." 18 | Level: 0 (Log Always) 19 | Function that generates the event: ntoskrnl!EtwTimLogProhibitDynamicCode 20 | Description: _ACG_ (https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/) prevents/logs attempted permission modification of code pages (making a page writeable, specifically) and prevents unsigned code pages from being created. 21 | 22 | **Event ID 2 - Arbitrary Code Guard (ACG) Enforcement** 23 | Message: "Process '%2' (PID %5) was blocked from generating dynamic code." 24 | Level: 3 (Warning) 25 | Function that generates the event: ntoskrnl!EtwTimLogProhibitDynamicCode 26 | 27 | **Event ID 7 - Audit: Log Remote Image Loads** 28 | Message: "Process '%2' (PID %5) would have been blocking from loading a binary from a remote share." 29 | Level: 0 (Log Always) 30 | Function that generates the event: ntoskrnl!EtwTimLogProhibitRemoteImageMap 31 | Description: Prevents/logs the loading of images from remote UNC/WebDAV shares, a common _exploitation/dll hijack primitive used_ (https://www.rapid7.com/db/modules/exploit/windows/browser/ms10_046_shortcut_icon_dllloader) to load subsequent attacker code from an attacker-controlled location. 32 | 33 | **Event ID 8 - Enforce: Block Remote Image Loads** 34 | Message: "Process '%2' (PID %5) was blocked from loading a binary from a remote share." 35 | Level: 3 (Warning) 36 | Function that generates the event: ntoskrnl!EtwTimLogProhibitRemoteImageMap 37 | 38 | **Event ID 9 - Audit: Log Win32K System Call Table Use** 39 | Message: "Process '%2' (PID %5) would have been blocked from making system calls to Win32k.sys." 40 | Level: 0 (Log Always) 41 | Function that generates the event: ntoskrnl!EtwTimLogProhibitWin32kSystemCalls 42 | Description: A user-mode GUI thread attempted to access the Win32K syscall table. Win32K syscalls are used frequently to _trigger elevation of privilege_ (https://www.slideshare.net/PeterHlavaty/rainbow-over-the-windows-more-colors-than-you-could-expect) and _sandbox escape vulnerabilities_ (https://improsec.com/tech-blog/win32k-system-call-filtering-deep-dive). For processes that do not intend to perform GUI-related tasks, Win32K syscall auditing/enforcement can be valuable. 43 | 44 | **Event ID 10 - Enforce: Prevent Win32K System Call Table Use** 45 | Message: "Process '%2' (PID %5) was blocked from making system call 46 | s to Win32k.sys." 47 | Level: 3 (Warning) 48 | Function that generates the event: ntoskrnl!EtwTimLogProhibitWin32kSystemCalls 49 | 50 | **Event Properties** 51 | _ProcessPathLength_ 52 | The length, in characters, of the string in the ProcessPath field. 53 | 54 | _ProcessPath_ 55 | The full path (represented as a device path) of the host process binary that triggered the event. 56 | 57 | _ProcessCommandLineLength_ 58 | The length, in characters, of the string in the ProcessCommandLine field. 59 | 60 | _ProcessCommandLine_ 61 | The full command line of the process that triggered the event. 62 | 63 | _CallingProcessId_ 64 | The process ID of the process that triggered the event. 65 | 66 | _CallingProcessCreateTime_ 67 | The creation time of the process that triggered the event. 68 | 69 | _CallingProcessStartKey_ 70 | This field represents a locally unique identifier for the process. It was designed as a more robust version of process ID that is resistant to being repeated. Process start key was introduced in Windows 10 1507 and is derived from _KUSER_SHARED_DATA.BootId and EPROCESS.SequenceNumber, both of which increment and are unlikely to overflow. It is an unsigned 64-bit value that is derived using the following logic: (BootId << 30) | SequenceNumber. Kernel drivers can retrieve the process start key for a process by calling the PsGetProcessStartKey export in ntoskrnl.exe. A process start key can also be _derived from user-mode_ (https://gist.github.com/mattifestation/3c2e8f80ca1fe1a7e276ee2607da8d18). 71 | 72 | _CallingProcessSignatureLevel_ 73 | The signature level of the process executable. This is the validated signing level for the process when it was started. This field is populated from EPROCESS.SignatureLevel. Signature level can be any of the following values: 74 | 75 | * 0x0 - Unchecked 76 | * 0x1 - Unsigned 77 | * 0x2 - Enterprise 78 | * 0x3 - Custom1 79 | * 0x4 - Authenticode 80 | * 0x5 - Custom2 81 | * 0x6 - Store 82 | * 0x7 - Antimalware 83 | * 0x8 - Microsoft 84 | * 0x9 - Custom4 85 | * 0xA - Custom5 86 | * 0xB - DynamicCodegen 87 | * 0xC - Windows 88 | * 0xD - WindowsProtectedProcessLight 89 | * 0xE - WindowsTcb 90 | * 0xF - Custom6 91 | 92 | _CallingProcessSectionSignatureLevel_ 93 | The section signature level is the default required signature level for any modules that get loaded into the process. The same values as ProcessSignatureLevel are supported. This field is populated from EPROCESS.SectionSignatureLevel. The following are some example process and process section signature levels that you might realistically encounter: 94 | 95 | 1. ProcessSignatureLevel: 8, ProcessSectionSignatureLevel: 6. This indicates that a Microsoft-signed host process will only load images with a Store signature at a minimum. Thanks to Alex Ionescu for pointing out this example scenario. 96 | 2. ProcessSignatureLevel: 2, ProcessSectionSignatureLevel: 2. This indicates that both process and module loading are dictated by Windows Defender Application Control (WDAC) policy. 97 | 3. ProcessSignatureLevel: 0, ProcessSectionSignatureLevel: 0. This would indicate that signature level enforcement for process and module loading is not enforced. 98 | 99 | _CallingProcessProtection_ 100 | The type of protected process and the protected process signer. This field is populated from EPROCESS.Protection and corresponds to the PS_PROTECTION structure. These values are well documented in Windows Internals: Volume 7. 101 | 102 | The first 3 bits contain the type of protected process (refers to the low nibble of the value): 103 | 104 | * PsProtectedTypeNone - 0 105 | * PsProtectedTypeProtectedLight - 1 106 | * PsProtectedTypeProtected - 2 107 | 108 | The top 4 bits contain the protected process signer (refers to the high nibble of the value): 109 | 110 | * PsProtectedSignerNone - 0 111 | * PsProtectedSignerAuthenticode - 1 112 | * PsProtectedSignerCodeGen - 2 113 | * PsProtectedSignerAntimalware - 3 114 | * PsProtectedSignerLsa - 4 115 | * PsProtectedSignerWindows - 5 116 | * PsProtectedSignerWinTcb - 6 117 | * PsProtectedSignerWinSystem - 7 118 | * PsProtectedSignerApp - 8 119 | 120 | Here are some example process protection values: 121 | 122 | * 0x31 - A PPL, antimalware process 123 | * 0x62 - A protected, WinTCB process 124 | 125 | _CallingThreadId_ 126 | The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread. 127 | 128 | _CallingThreadCreateTime_ 129 | The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime. 130 | 131 | ### Child Process Creation Events 132 | 133 | **Event ID 3 - Audit: Child Process Creation** 134 | Message: “Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'." 135 | Level: 0 (Log Always) 136 | Function that generates the event: ntoskrnl!EtwTimLogProhibitChildProcessCreation 137 | Description: log/prevents child process creation 138 | 139 | **Event ID 4 - Enforce: Prevent Child Process Creation** 140 | Message: “Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'." 141 | Level: 3 (Warning) 142 | Function that generates the event: ntoskrnl!EtwTimLogProhibitChildProcessCreation 143 | 144 | **Event Properties** 145 | _ProcessPathLength_ 146 | The length, in characters, of the string in the ProcessPath field. 147 | 148 | _ProcessPath_ 149 | The full path (represented as a device path) of the host process binary that triggered the event. 150 | 151 | _ProcessCommandLineLength_ 152 | The length, in characters, of the string in the ProcessCommandLine field. 153 | 154 | ProcessCommandLine 155 | The full command line of the process that triggered the event. 156 | 157 | _CallingProcessId_ 158 | The process ID of the process that triggered the event. 159 | 160 | _CallingProcessCreateTime_ 161 | The creation time of the process that triggered the event. 162 | 163 | _CallingProcessStartKey_ 164 | See section above. 165 | 166 | _CallingProcessSignatureLevel_ 167 | See section above. 168 | 169 | _CallingProcessSectionSignatureLevel_ 170 | See section above. 171 | 172 | _CallingProcessProtection_ 173 | See section above. 174 | 175 | _CallingThreadId_ 176 | The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread. 177 | 178 | _CallingThreadCreateTime_ 179 | The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime. 180 | 181 | _ChildImagePathNameLength_ 182 | The length, in characters, of the string in the ChildImagePathName field. 183 | 184 | _ChildImagePathName_ 185 | The path to the image that is attempting to load. 186 | 187 | _ChildCommandLineLength_ 188 | The length, in characters, of the string in the ChildCommandLine field. 189 | 190 | _ChildCommandLine_ 191 | The command line of the image that is attempting to load. 192 | 193 | ### Low Integrity Image Load Events 194 | 195 | **Event ID 5 - Audit: low integrity image load** 196 | Message: “Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'." 197 | Level: 0 (Log Always) 198 | Function that generates the event: ntoskrnl!EtwTimLogProhibitLowILImageMap 199 | 200 | **Event ID 6 - Enforce: block low integrity image load** 201 | Message: “Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'." 202 | Level: 3 (Warning) 203 | Function that generates the event: ntoskrnl!EtwTimLogProhibitLowILImageMap 204 | 205 | **Event Properties** 206 | _ProcessPathLength_ 207 | The length, in characters, of the string in the ProcessPath field. 208 | 209 | _ProcessPath_ 210 | The full path (represented as a device path) of the host process binary that triggered the event. 211 | 212 | _ProcessCommandLineLength_ 213 | The length, in characters, of the string in the ProcessCommandLine field. 214 | 215 | _ProcessCommandLine_ 216 | The full command line of the process that triggered the event. 217 | 218 | _ProcessId_ 219 | The process ID of the process that triggered the event. 220 | 221 | _ProcessCreateTime_ 222 | The creation time of the process that triggered the event. 223 | 224 | _ProcessStartKey_ 225 | See section above. 226 | 227 | _ProcessSignatureLevel_ 228 | See section above. 229 | 230 | _ProcessSectionSignatureLevel_ 231 | See section above. 232 | 233 | _ProcessProtection_ 234 | See section above. 235 | 236 | _TargetThreadId_ 237 | The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread. 238 | 239 | _TargetThreadCreateTime_ 240 | The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime. 241 | 242 | _ImageNameLength_ 243 | The length, in characters, of the string in the ImageName field. 244 | 245 | _ImageName_ 246 | The name of the image that attempted to load with low integrity. 247 | 248 | ### Non-Microsoft Binary Load Events 249 | 250 | **Event ID 11 - Audit: A non-Microsoft-signed binary would have been loaded.** 251 | Message: “Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'." 252 | Level: 0 (Log Always) 253 | Function that generates the event: ntoskrnl!EtwTimLogProhibitNonMicrosoftBinaries 254 | Description: This event is logged any time a PE is loaded into a process that is not Microsoft-signed. 255 | 256 | **Event ID 12 - Enforce: A non-Microsoft-signed binary was prevented from loading.** 257 | Message: “Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'." 258 | Level: 3 (Warning) 259 | Function that generates the event: ntoskrnl!EtwTimLogProhibitNonMicrosoftBinaries 260 | 261 | **Event Properties** 262 | _ProcessPathLength_ 263 | The length, in characters, of the string in the ProcessPath field. 264 | 265 | _ProcessPath_ 266 | The full path (represented as a device path) of the host process binary into which a non-MSFT binary attempted to load. 267 | 268 | _ProcessCommandLineLength_ 269 | The length, in characters, of the string in the ProcessCommandLine field. 270 | 271 | _ProcessCommandLine_ 272 | The full command line of the process into which a non-MSFT binary attempted to load. 273 | 274 | _ProcessId_ 275 | The process ID of the process into which a non-MSFT binary attempted to load. 276 | 277 | _ProcessCreateTime_ 278 | The creation time of the process into which a non-MSFT binary attempted to load. 279 | 280 | _ProcessStartKey_ 281 | See section above. 282 | 283 | _ProcessSignatureLevel_ 284 | See section above. 285 | 286 | _ProcessSectionSignatureLevel_ 287 | See section above. 288 | 289 | _ProcessProtection_ 290 | See section above. 291 | 292 | _TargetThreadId_ 293 | The thread ID of the thread responsible for attempting to load the non-MSFT binary. This field is populated from ETHREAD.Cid.UniqueThread. 294 | 295 | _TargetThreadCreateTime_ 296 | The creation time of the thread responsible for attempting to load the non-MSFT binary. This field is populated from ETHREAD.CreateTime. 297 | 298 | _RequiredSignatureLevel_ 299 | The minimum signature level being imposed by WDEG. The same values as ProcessSignatureLevel are supported. This value will either be 8 in the case of Microsoft-signed binaries only or 6 in the case where Store images are permitted. 300 | 301 | _SignatureLevel_ 302 | The validated signature level of the image present in the ImageName field. The same values as ProcessSignatureLevel are supported. A value less than RequiredSignatureLevel indicates the reason why EID 11/12 was logged in the first place. When this event is logged, SignatureLevel will always be less than RequiredSignatureLevel. 303 | 304 | _ImageNameLength_ 305 | The length, in characters, of the string in the ImageName field. 306 | 307 | _ImageName_ 308 | The full path to the image that attempted to load into the host process. 309 | 310 | ## Event Log: Microsoft-Windows-Security-Mitigations/UserMode 311 | 312 | ### Export/Import Address Table Access Filtering (EAF/IAF) Events 313 | 314 | **Event ID 13 - EAF mitigation audited** 315 | Message: “Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'." 316 | Level: 0 (Log Always) 317 | Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage 318 | Description: The export address table was accessed by code that is not backed by an image on disk - i.e. injected shellcode is the likely culprit for access the EAT. 319 | 320 | **Event ID 14 - EAF mitigation enforced** 321 | “Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'." 322 | Level: 3 (Warning) 323 | Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage 324 | 325 | **Event ID 15 - EAF+ mitigation audited** 326 | Message: “Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'." 327 | Level: 0 (Log Always) 328 | Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage 329 | Description: The export address table was accessed by code that is not backed by an image on disk and via many other improved heuristics - i.e. injected shellcode is the likely culprit for access the EAT. 330 | 331 | **Event ID 16 - EAF+ mitigation enforced** 332 | Message: “Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'." 333 | Level: 3 (Warning) 334 | Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage 335 | 336 | **Event ID 17 - IAF mitigation audited** 337 | Message: “Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'." 338 | Level: 0 (Log Always) 339 | Function that generates the event: PayloadRestrictions!MitLibProcessIAFGuardPage 340 | Description: The import address table was accessed by code that is not backed by an image on disk. 341 | 342 | **Event ID 18 - IAF mitigation enforced** 343 | Message: “Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'." 344 | Level: 3 (Warning) 345 | Function that generates the event: PayloadRestrictions!MitLibProcessIAFGuardPage 346 | 347 | **Event Properties** 348 | _Subcode_ 349 | Specifies a value in the range of 1-4 that indicates how how the event was triggered. 350 | 351 | * 1 - Indicates that the classic EAF mitigation was triggered. This subcode is used if the instruction pointer address used to access the EAF does not map to a DLL that was loaded from disk (ntdll!_RtlPcToFileHeader_ (https://docs.microsoft.com/en-us/windows/desktop/api/winnt/nf-winnt-rtlpctofileheader) is used to make this determination). 352 | * 2 - Indicates that the stack registers ([R|S]P and [R|E]BP) fall outside the stack extent of the current thread. This is one of the EAF+ mitigations. 353 | * 3 - Indicates that a memory reader gadget was used to access the EAF. PayloadRestrictions.dll statically links a disassembler library that attempts to make this determination. This is one of the EAF+ mitigations. 354 | * 4 - Indicates that the IAF mitigation triggered. This also implies that the APIName property will be populated. 355 | 356 | _ProcessPath_ 357 | The full path of the process in which the EAF/IAF mitigation triggered. 358 | 359 | _ProcessId_ 360 | The process ID of the process in which the EAF/IAF mitigation triggered. 361 | 362 | _ModuleFullPath_ 363 | The full path of the module that caused the mitigation to trigger. This value will be empty if the subcode value is 1. 364 | 365 | _ModuleBase_ 366 | The base address of the module that caused the mitigation to trigger. This value will be 0 if the subcode value is 1. 367 | 368 | _ModuleAddress_ 369 | The instruction pointer address ([R|E]IP) upon the mitigation triggering. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation. 370 | 371 | _MemAddress_ 372 | The virtual address that was accessed within a protected module that triggered a guard page exception. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation. 373 | 374 | _MemModuleFullPath_ 375 | The full path of the protected module that was accessed. This string is obtained from LDR_DATA_TABLE_ENTRY.FullDllName in the PEB. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation. 376 | 377 | _MemModuleBase_ 378 | The base address of the protected module that was accessed. 379 | 380 | _APIName_ 381 | The blacklisted export function name that was accessed. This property is only applicable to the IAF mitigation. The following APIs are included in the blacklist: GetProcAddressForCaller, LdrGetProcedureAddress, LdrGetProcedureAddressEx, CreateProcessAsUserA, CreateProcessAsUserW, GetModuleHandleA, GetModuleHandleW, RtlDecodePointer, DecodePointer. 382 | 383 | _ProcessStartTime_ 384 | The creation time of the process specified in ProcessPath/ProcessId. The process time is obtained by calling _NtQueryInformationProcess_ (https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess) with ProcessTimes as the ProcessInformationClass argument. The process time is obtained from the CreateTime field of the KERNEL_USER_TIMES structure. 385 | 386 | _ThreadId_ 387 | The thread ID of the thread that generated the event. 388 | 389 | ### Return-Oriented Programming (ROP) Events 390 | 391 | **Event ID 19 - ROP mitigation audited: Stack Pivot** 392 | Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. 393 | Level: 0 (Log Always) 394 | Function that generates the event: PayloadRestrictions!MitLibNotifyStackPivotViolation 395 | Description: A ROP stack pivot was detection by observing that the stack pointer fell outside the stack extent (stack base and stack limit) for the current thread. 396 | 397 | **Event ID 20 - ROP mitigation enforced: Stack Pivot** 398 | Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. 399 | Level: 3 (Warning) 400 | Function that generates the event: PayloadRestrictions!MitLibNotifyStackPivotViolation 401 | 402 | **Event ID 21 - ROP mitigation audited: Caller Checks** 403 | Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. 404 | Level: 0 (Log Always) 405 | Function that generates the event: PayloadRestrictions!MitLibRopCheckCaller 406 | Description: This event is logged if one of the functions listed in the HookedAPI section below was not called with a call instruction - e.g. called with via a RET instruction. 407 | 408 | **Event ID 22 - ROP mitigation enforced: Caller Checks** 409 | Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. 410 | Level: 3 (Warning) 411 | Function that generates the event: PayloadRestrictions!MitLibRopCheckCaller 412 | 413 | **Event ID 23 - ROP mitigation audited: Simulate Execution Flow** 414 | Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. 415 | Level: 0 (Log Always) 416 | Function that generates the event: PayloadRestrictions!MitLibRopCheckSimExecFlow 417 | Description: The simulate execution flow mitigation simulates continued execution of any of the functions listed in HookedAPI section and if any of the return logic along the stack resembles ROP behavior, this event is triggered. 418 | 419 | **Event ID 24 - ROP mitigation enforced: Simulate Execution Flow** 420 | Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. 421 | Level: 3 (Warning) 422 | Function that generates the event: PayloadRestrictions!MitLibRopCheckSimExecFlow 423 | 424 | **Event Properties** 425 | _Subcode_ 426 | Specifies a value in the range of 5-7 that indicates how how the event was triggered. 427 | 428 | * 5 - Indicates that the stack pivot ROP mitigation was triggered. 429 | * 6 - Indicates that the “caller checks" ROP mitigation was triggered. 430 | * 7 - Indicates that the “simulate execution flow" ROP mitigation was triggered. 431 | 432 | _ProcessPath_ 433 | The full path of the process in which the ROP mitigation triggered. 434 | 435 | _ProcessId_ 436 | The process ID of the process in which the ROP mitigation triggered. 437 | 438 | _HookedAPI_ 439 | The name of the monitored API that triggered the event. The following hooked APIs are monitored: LoadLibraryA, LoadLibraryW, LoadLibraryExA, LoadLibraryExW, LdrLoadDll, VirtualAlloc, VirtualAllocEx, NtAllocateVirtualMemory, VirtualProtect, VirtualProtectEx, NtProtectVirtualMemory, HeapCreate, RtlCreateHeap, CreateProcessA, CreateProcessW, CreateProcessInternalA, CreateProcessInternalW, NtCreateUserProcess, NtCreateProcess, NtCreateProcessEx, CreateRemoteThread, CreateRemoteThreadEx, NtCreateThreadEx, WriteProcessMemory, NtWriteVirtualMemory, WinExec, LdrGetProcedureAddressForCaller, GetProcAddress, GetProcAddressForCaller, LdrGetProcedureAddress, LdrGetProcedureAddressEx, CreateProcessAsUserA, CreateProcessAsUserW, GetModuleHandleA, GetModuleHandleW, RtlDecodePointer, DecodePointer 440 | 441 | _ReturnAddress_ 442 | I was unable to spend too much time reversing PayloadRestrictions.dll to how this property is populated but based on fired events and inference, this property indicates the return address for the current stack frame that triggered the ROP event. A return address that pointed to an address in the stack or to an address of another ROP gadget (a small sequence of instructions followed by a return instruction) would be considered suspicious. 443 | 444 | _CalledAddress_ 445 | This appears to be the address of the hooked, blacklisted API that was called by the potential ROP chain. 446 | 447 | _TargetAddress_ 448 | This value appears to be the target call/jump address of the ROP gadget to which control was to be transferred via non-traditional means. The TargetAddress value is zero when the “simulate execution flow" ROP mitigation was triggered. 449 | 450 | _StackAddress_ 451 | The stack address triggering the stack pivot ROP mitigation. This value only populated with the stack pivot ROP mitigation. The StackAddress value is zero when the “simulate execution flow" and “caller checks" ROP mitigations are triggered. When StackAddress is populated, it would indicate that the stack address falls outside the stack extent (NT_TIB StackBase/StackLimit range) for the current thread. 452 | 453 | _FrameAddress_ 454 | This value is zeroed out in code so it is unclear what it’s intended purpose is. 455 | 456 | _ReturnAddressModuleFullPath_ 457 | The full path of the module that is backed by the ReturnAddress property (via ntdll!RtlPcToFileHeader and ntdll!LdrGetDllFullName). If ReturnAddress is not backed by a disk-backed module, this property will be empty. 458 | 459 | _ProcessStartTime_ 460 | The creation time of the process specified in ProcessPath/ProcessId. The process time is obtained by calling _NtQueryInformationProcess_ (https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess) with ProcessTimes as the ProcessInformationClass argument. The process time is obtained from the CreateTime field of the KERNEL_USER_TIMES structure. 461 | 462 | _ThreadId_ 463 | The thread ID of the thread that generated the event. 464 | 465 | ## Event Log: Microsoft-Windows-Win32k/Operational 466 | 467 | **Event ID 260 - A GDI-based font not installed in the system fonts directory was prevented from being loaded** 468 | Message: “%1 attempted loading a font that is restricted by font loading policy. 469 | FontType: %2 470 | FontPath: %3 471 | Blocked: %4" 472 | Level: 0 (Log Always) 473 | Function that generates the event: win32kbase!EtwFontLoadAttemptEvent 474 | Description: This mitigation is detailed in _this blog post_ (http://blogs.360.cn/post/windows10_font_security_mitigations.html). 475 | 476 | **Event Properties** 477 | _SourceProcessName_ 478 | Specifies the name of the process that attempted to load the font. 479 | 480 | _SourceType_ 481 | Refers to an undocumented W32KFontSourceType enum that based on calls to win32kfull!ScrutinizeFontLoad can be any of the following values: 482 | 483 | * 0 - “LoadPublicFonts" - Supplied via win32kfull!bCreateSectionFromHandle () 484 | * 1 - “LoadMemFonts" - Supplied via win32kfull!PUBLIC_PFTOBJ::hLoadMemFonts 485 | * 2 - “LoadRemoteFonts" - Supplied via win32kfull!PUBLIC_PFTOBJ::bLoadRemoteFonts 486 | * 3 - “LoadDeviceFonts" - Supplied via win32kfull!DEVICE_PFTOBJ::bLoadFonts 487 | 488 | _FontSourcePath_ 489 | Specifies the path to the font that attempted to load. 490 | 491 | _Blocked_ 492 | A value of 1 specifies that the font was blocked from loading. A value of 0 indicates that the font was allowed to load but was logged. 493 | 494 | ### Event Log: System 495 | 496 | **Event ID 5 - Control Flow Guard (CFG) Violation** 497 | Event source: Microsoft-Windows-WER-Diag 498 | Message: “CFG violation is detected." 499 | Level: 0 (Log Always) 500 | Function that generates the event: werfault!CTIPlugin::NotifyCFGViolation 501 | Description: A description of the CFG mitigation can be found _here_ (https://docs.microsoft.com/en-us/windows/desktop/SecBP/control-flow-guard). Specific event field documentation could not be completed in a reasonable amount of time. 502 | 503 | ### Event Properties 504 | 505 | _AppPath_ 506 | _ProcessId_ 507 | _ProcessStartTime_ 508 | _Is64Bit_ 509 | _CallReturnAddress_ 510 | _CallReturnModName_ 511 | _CallReturnModOffset_ 512 | _CallReturnInstructionBytesLength_ 513 | _CallReturnInstructionBytes_ 514 | _CallReturnBaseAddress_ 515 | _CallReturnRegionSize_ 516 | _CallReturnState_ 517 | _CallReturnProtect_ 518 | _CallReturnType_ 519 | _TargetAddress_ 520 | _TargetModName_ 521 | _TargetModOffset_ 522 | _TargetInstructionBytesLength_ 523 | _TargetInstructionBytes_ 524 | _TargetBaseAddress_ 525 | _TargetRegionSize_ 526 | _TargetState_ 527 | _TargetProtect_ 528 | _TargetType_ 529 | -------------------------------------------------------------------------------- /configureBaseMachine.ps1: -------------------------------------------------------------------------------- 1 | #--------------------------------------------------------------------------------------------------------------------------------------------- 2 | # 3 | # 1. Use this script to configure a base system. 4 | # 2. Export the xml to create a domain policy. 5 | # 6 | # Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection 7 | # 8 | #--------------------------------------------------------------------------------------------------------------------------------------------- 9 | 10 | 11 | 12 | #--------------------------------------------------------------------------------------------------------------------------------------------- 13 | # PER-PROCESS Configurations 14 | # 15 | # Syntax and Example: 16 | # Set-ProcessMitigation - - ,, 17 | # Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation 18 | 19 | Set-ProcessMitigation -Name outlook.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 20 | Set-ProcessMitigation -Name winword.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 21 | Set-ProcessMitigation -Name excel.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 22 | Set-ProcessMitigation -Name powerpnt.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 23 | Set-ProcessMitigation -Name visio.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 24 | Set-ProcessMitigation -Name pptview.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 25 | Set-ProcessMitigation -Name groove.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,BlockRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,DisallowChildProcessCreation 26 | Set-ProcessMitigation -Name onedrive.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 27 | Set-ProcessMitigation -Name iexplore.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 28 | Set-ProcessMitigation -Name microsoftedge.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 29 | Set-ProcessMitigation -Name chrome.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess 30 | Set-ProcessMitigation -Name AcroRd32.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 31 | Set-ProcessMitigation -Name acrobat.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 32 | Set-ProcessMitigation -Name firefox.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 33 | Set-ProcessMitigation -Name slack.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess 34 | Set-ProcessMitigation -Name quip.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess 35 | Set-ProcessMitigation -Name zoom.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess 36 | Set-ProcessMitigation -Name mspub.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 37 | Set-ProcessMitigation -Name msaccess.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 38 | Set-ProcessMitigation -Name lync.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 39 | Set-ProcessMitigation -Name fltldr.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 40 | Set-ProcessMitigation -Name infopath.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 41 | Set-ProcessMitigation -Name wordpad.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 42 | Set-ProcessMitigation -Name plugin-container.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 43 | Set-ProcessMitigation -Name java.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 44 | Set-ProcessMitigation -Name javaw.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 45 | Set-ProcessMitigation -Name javaws.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 46 | Set-ProcessMitigation -Name wmplayer.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess 47 | 48 | 49 | #--------------------------------------------------------------------------------------------------------------------------------------------- 50 | 51 | 52 | 53 | #--------------------------------------------------------------------------------------------------------------------------------------------- 54 | # SYSTEM WIDE Configurations 55 | # 56 | # Example: 57 | # Set-Processmitigation -System -Enable DEP 58 | # Note, the options must be specified in a single command or they will overide current config. 59 | 60 | Set-ProcessMitigation -System -Enable DEP,BottomUp,CFG,SEHOP 61 | # Set-ProcessMitigation -System -Enable DEP,BottomUp,SEHOP// We re-enabled CFG as default 10/21/19. 62 | 63 | #--------------------------------------------------------------------------------------------------------------------------------------------- 64 | 65 | 66 | 67 | #--------------------------------------------------------------------------------------------------------------------------------------------- 68 | # 69 | # Clear a setting: 70 | # Set-Processmitigation -Name test.exe -Remove -Disable DEP 71 | 72 | #--------------------------------------------------------------------------------------------------------------------------------------------- 73 | 74 | #--------------------------------------------------------------------------------------------------------------------------------------------- 75 | # 76 | # Export Settings for Deployment: 77 | Get-ProcessMitigation -RegistryConfigFilePath settings.xml 78 | 79 | #--------------------------------------------------------------------------------------------------------------------------------------------- 80 | 81 | #--------------------------------------------------------------------------------------------------------------------------------------------- 82 | # 83 | # Import Settings on a test or base machine 84 | #Set-ProcessMitigation -PolicyFilePath settings.xml 85 | 86 | #--------------------------------------------------------------------------------------------------------------------------------------------- 87 | --------------------------------------------------------------------------------