From 2295d247c53d8d68bdb2c77f1a1d08fcdcb42f99 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Thu, 27 Aug 2020 15:50:22 -0700 Subject: [PATCH 1/4] Add event tag explanations Document event log tags for SignatureType, ValidatedSigningLevel, and VerificationError --- .../TOC.md | 3 +- .../event-id-explanations.md | 4 +- .../event-tag-explanations.md | 83 +++++++++++++++++++ ...r-application-control-operational-guide.md | 3 +- 4 files changed, 89 insertions(+), 4 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index fc4c0fde64..7462b160a6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -41,7 +41,8 @@ ## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md) -### [Understanding Application Control events](event-id-explanations.md) +### [Understanding Application Control event IDs](event-id-explanations.md) +### [Understanding Application Control event tags](event-tag-explanations.md) ### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) ## [AppLocker](applocker\applocker-overview.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 6601f20830..5e96029084 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -1,6 +1,6 @@ --- -title: Understanding Application Control events (Windows 10) -description: Learn what different Windows Defender Application Control events signify. +title: Understanding Application Control event IDs (Windows 10) +description: Learn what different Windows Defender Application Control event IDs signify. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md new file mode 100644 index 0000000000..455177e5c9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -0,0 +1,83 @@ +--- +title: Understanding Application Control event tags (Windows 10) +description: Learn what different Windows Defender Application Control event tags signify. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 8/27/2020 +--- + +# Understanding Application Control event tags + +Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags. + +## SignatureType + +Represents the type of signature which verified the image. + +| SignatureType Value | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | Unsigned or verification has not been attempted | +| 1 | Embedded signature | +| 2 | Cached signature; presence of CI EA shows that file had been previously verified | +| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly | +| 5 | Successfully verified using an EA that informs CI which catalog to try first | +|6 | AppX / MSIX package catalog verified | +| 7 | File was verified | + +## ValidatedSigningLevel + +Represents the signature level at which the code was verified. + +| ValidatedSigningLevel Value | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | Signing level has not yet been checked | +| 1 | File is unsigned | +| 2 | Trusted by WDAC policy | +| 3 | Developer signed code | +| 4 | Authenticode signed | +| 5 | Microsoft Store signed app PPL (Protected Process Light) | +| 6 | Microsoft Store-signed | +| 7 | Signed by an Antimalware vendor whose product is using AMPPL | +| 8 | Microsoft signed | +| 11 | Only used for signing of the .NET NGEN compiler | +| 12 | Windows signed | +| 14 | Windows Trusted Computing Base signed | + +## VerificationError + +Represents why verification failed, or if it succeeded. + +| VerificationError Value | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | Successfully verified signature | +| 2 | File contains shared writable sections | +| 4 | Revoked signature | +| 5 | Expired signature | +| 7 | Invalid root certificate | +| 8 | Signature was unable to be validated; generic error | +| 9 | Signing time not trusted | +| 12 | Not valid for a PPL (Protected Process Light) | +| 13 | Not valid for a PP (Protected Process) | +| 15 | Failed WHQL check | +| 16 | Default policy signing level not met | +| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | +| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI | +| 19 | Binary is revoked by file hash | +| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy | +| 21 | Failed to pass WDAC policy | +| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet | +| 23 | Invalid image hash | +| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | +| 26 | Explicitly denied by WADC policy | +| 28 | Resource page hash mismatch | diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 9ee20747b7..758ec476b6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -39,5 +39,6 @@ WDAC events are generated under two locations: | Topic | Description | | - | - | -| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. | +| [Understanding Application Control event IDs](event-id-explanations.md) | This topic explains the meaning of different WDAC event IDs. | +| [Understanding Application Control event tags](event-tag-explanations.md) | This topic explains the meaning of different WDAC event tags. | | [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. | From b27c149e50c89d52766a857beaf68962818b5978 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 27 Aug 2020 16:10:25 -0700 Subject: [PATCH 2/4] Acrolinx: "Advanted" and "enable allow" --- .../windows-defender-application-control-operational-guide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 758ec476b6..2227143aad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -24,11 +24,11 @@ ms.date: 03/16/2020 - Windows 10 - Windows Server 2016 and above -After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature. +After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanced Threat Protection (MDATP) Advanced Hunting feature. ## WDAC Events Overview -WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. +WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. WDAC events are generated under two locations: From 531a677839d60abfb17653c93fc8780b52b142c7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 27 Aug 2020 16:14:15 -0700 Subject: [PATCH 3/4] Corrected list type from ordered to unordered --- .../event-id-explanations.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 5e96029084..444430a762 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -21,8 +21,9 @@ ms.date: 3/17/2020 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: -1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational -2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational + + - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script ## Microsoft Windows CodeIntegrity Operational log event IDs From 237eaf95d3811eca0b319b723c1796b3908f2e5d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 27 Aug 2020 16:15:08 -0700 Subject: [PATCH 4/4] Corrected list type from ordered to unordered --- ...windows-defender-application-control-operational-guide.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 2227143aad..8a7ad0700f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -32,8 +32,9 @@ WDAC generates and logs events when a policy is loaded as well as when a binary WDAC events are generated under two locations: -1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational -2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + - Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational + + - Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script ## In this section