palantir/exploitguard palantir/exploitguard

  • Stars
    star
    144
  • Rank 246,584 (Top 6 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created over 4 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
palantir/exploitguard
github

palantir

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Documentation and supporting script sample for Windows Exploit Guard

Exploit Protection Event Documentation

Last updated: 10/15/19
Research by: Matthew Graeber @ SpecterOps

Associated Blog Post: https://medium.com/palantir/assessing-the-effectiveness-of-a-new-security-data-source-windows-defender-exploit-guard-860b69db2ad2

One of the most valuable features of WDEG are the Windows event logs generated when a security feature is triggered. While documentation on configuration (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection) and deployment (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml) of WDEG is readily accessible, documentation on what events WDEG supports, and the context around them, does not exist. The Palantir CIRT is of the opinion that the value of an event source is realized only upon documenting each field, applying context around the event, and leveraging these as discrete detection capabilities.

WDEG supplies events from multiple event sources (ETW providers) and destinations (event logs). In the documentation that follows, events are organized by their respective event destination. Additionally, many events use the same event template and are grouped accordingly. Microsoft does not currently document these events and context was acquired by utilizing documented ETW methodology (https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63), reverse engineering, and with support from security researchers (James Forshaw (https://twitter.com/tiraniddo) and Alex Ionescu (https://twitter.com/aionescu)) generously answering questions on Windows internals.

Event Log: Microsoft-Windows-Security-Mitigations/KernelMode

Events Consisting of Process Context

Event ID 1 - Arbitrary Code Guard (ACG) Auditing
Message: "Process '%2' (PID %5) would have been blocked from generating dynamic code."
Level: 0 (Log Always)
Function that generates the event: ntoskrnl!EtwTimLogProhibitDynamicCode
Description: ACG (https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/) prevents/logs attempted permission modification of code pages (making a page writeable, specifically) and prevents unsigned code pages from being created.

Event ID 2 - Arbitrary Code Guard (ACG) Enforcement
Message: "Process '%2' (PID %5) was blocked from generating dynamic code."
Level: 3 (Warning)
Function that generates the event: ntoskrnl!EtwTimLogProhibitDynamicCode

Event ID 7 - Audit: Log Remote Image Loads
Message: "Process '%2' (PID %5) would have been blocking from loading a binary from a remote share."
Level: 0 (Log Always)
Function that generates the event: ntoskrnl!EtwTimLogProhibitRemoteImageMap
Description: Prevents/logs the loading of images from remote UNC/WebDAV shares, a common exploitation/dll hijack primitive used (https://www.rapid7.com/db/modules/exploit/windows/browser/ms10_046_shortcut_icon_dllloader) to load subsequent attacker code from an attacker-controlled location.

Event ID 8 - Enforce: Block Remote Image Loads
Message: "Process '%2' (PID %5) was blocked from loading a binary from a remote share."
Level: 3 (Warning)
Function that generates the event: ntoskrnl!EtwTimLogProhibitRemoteImageMap

Event ID 9 - Audit: Log Win32K System Call Table Use
Message: "Process '%2' (PID %5) would have been blocked from making system calls to Win32k.sys."
Level: 0 (Log Always)
Function that generates the event: ntoskrnl!EtwTimLogProhibitWin32kSystemCalls
Description: A user-mode GUI thread attempted to access the Win32K syscall table. Win32K syscalls are used frequently to trigger elevation of privilege (https://www.slideshare.net/PeterHlavaty/rainbow-over-the-windows-more-colors-than-you-could-expect) and sandbox escape vulnerabilities (https://improsec.com/tech-blog/win32k-system-call-filtering-deep-dive). For processes that do not intend to perform GUI-related tasks, Win32K syscall auditing/enforcement can be valuable.

Event ID 10 - Enforce: Prevent Win32K System Call Table Use
Message: "Process '%2' (PID %5) was blocked from making system call
s to Win32k.sys."
Level: 3 (Warning)
Function that generates the event: ntoskrnl!EtwTimLogProhibitWin32kSystemCalls

Event Properties
ProcessPathLength
The length, in characters, of the string in the ProcessPath field.

ProcessPath
The full path (represented as a device path) of the host process binary that triggered the event.

ProcessCommandLineLength
The length, in characters, of the string in the ProcessCommandLine field.

ProcessCommandLine
The full command line of the process that triggered the event.

CallingProcessId
The process ID of the process that triggered the event.

CallingProcessCreateTime
The creation time of the process that triggered the event.

CallingProcessStartKey
This field represents a locally unique identifier for the process. It was designed as a more robust version of process ID that is resistant to being repeated. Process start key was introduced in Windows 10 1507 and is derived from _KUSER_SHARED_DATA.BootId and EPROCESS.SequenceNumber, both of which increment and are unlikely to overflow. It is an unsigned 64-bit value that is derived using the following logic: (BootId << 30) | SequenceNumber. Kernel drivers can retrieve the process start key for a process by calling the PsGetProcessStartKey export in ntoskrnl.exe. A process start key can also be derived from user-mode (https://gist.github.com/mattifestation/3c2e8f80ca1fe1a7e276ee2607da8d18).

CallingProcessSignatureLevel
The signature level of the process executable. This is the validated signing level for the process when it was started. This field is populated from EPROCESS.SignatureLevel. Signature level can be any of the following values:

  • 0x0 - Unchecked
  • 0x1 - Unsigned
  • 0x2 - Enterprise
  • 0x3 - Custom1
  • 0x4 - Authenticode
  • 0x5 - Custom2
  • 0x6 - Store
  • 0x7 - Antimalware
  • 0x8 - Microsoft
  • 0x9 - Custom4
  • 0xA - Custom5
  • 0xB - DynamicCodegen
  • 0xC - Windows
  • 0xD - WindowsProtectedProcessLight
  • 0xE - WindowsTcb
  • 0xF - Custom6

CallingProcessSectionSignatureLevel The section signature level is the default required signature level for any modules that get loaded into the process. The same values as ProcessSignatureLevel are supported. This field is populated from EPROCESS.SectionSignatureLevel. The following are some example process and process section signature levels that you might realistically encounter:

  1. ProcessSignatureLevel: 8, ProcessSectionSignatureLevel: 6. This indicates that a Microsoft-signed host process will only load images with a Store signature at a minimum. Thanks to Alex Ionescu for pointing out this example scenario.
  2. ProcessSignatureLevel: 2, ProcessSectionSignatureLevel: 2. This indicates that both process and module loading are dictated by Windows Defender Application Control (WDAC) policy.
  3. ProcessSignatureLevel: 0, ProcessSectionSignatureLevel: 0. This would indicate that signature level enforcement for process and module loading is not enforced.

CallingProcessProtection
The type of protected process and the protected process signer. This field is populated from EPROCESS.Protection and corresponds to the PS_PROTECTION structure. These values are well documented in Windows Internals: Volume 7.

The first 3 bits contain the type of protected process (refers to the low nibble of the value):

  • PsProtectedTypeNone - 0
  • PsProtectedTypeProtectedLight - 1
  • PsProtectedTypeProtected - 2

The top 4 bits contain the protected process signer (refers to the high nibble of the value):

  • PsProtectedSignerNone - 0
  • PsProtectedSignerAuthenticode - 1
  • PsProtectedSignerCodeGen - 2
  • PsProtectedSignerAntimalware - 3
  • PsProtectedSignerLsa - 4
  • PsProtectedSignerWindows - 5
  • PsProtectedSignerWinTcb - 6
  • PsProtectedSignerWinSystem - 7
  • PsProtectedSignerApp - 8

Here are some example process protection values:

  • 0x31 - A PPL, antimalware process
  • 0x62 - A protected, WinTCB process

CallingThreadId
The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread.

CallingThreadCreateTime
The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime.

Child Process Creation Events

Event ID 3 - Audit: Child Process Creation
Message: “Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'."
Level: 0 (Log Always)
Function that generates the event: ntoskrnl!EtwTimLogProhibitChildProcessCreation
Description: log/prevents child process creation

Event ID 4 - Enforce: Prevent Child Process Creation
Message: “Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'."
Level: 3 (Warning)
Function that generates the event: ntoskrnl!EtwTimLogProhibitChildProcessCreation

Event Properties
ProcessPathLength
The length, in characters, of the string in the ProcessPath field.

ProcessPath
The full path (represented as a device path) of the host process binary that triggered the event.

ProcessCommandLineLength
The length, in characters, of the string in the ProcessCommandLine field.

ProcessCommandLine
The full command line of the process that triggered the event.

CallingProcessId
The process ID of the process that triggered the event.

CallingProcessCreateTime
The creation time of the process that triggered the event.

CallingProcessStartKey
See section above.

CallingProcessSignatureLevel
See section above.

CallingProcessSectionSignatureLevel
See section above.

CallingProcessProtection
See section above.

CallingThreadId
The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread.

CallingThreadCreateTime
The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime.

ChildImagePathNameLength
The length, in characters, of the string in the ChildImagePathName field.

ChildImagePathName
The path to the image that is attempting to load.

ChildCommandLineLength
The length, in characters, of the string in the ChildCommandLine field.

ChildCommandLine
The command line of the image that is attempting to load.

Low Integrity Image Load Events

Event ID 5 - Audit: low integrity image load
Message: “Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'."
Level: 0 (Log Always)
Function that generates the event: ntoskrnl!EtwTimLogProhibitLowILImageMap

Event ID 6 - Enforce: block low integrity image load
Message: “Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'."
Level: 3 (Warning)
Function that generates the event: ntoskrnl!EtwTimLogProhibitLowILImageMap

Event Properties ProcessPathLength
The length, in characters, of the string in the ProcessPath field.

ProcessPath
The full path (represented as a device path) of the host process binary that triggered the event.

ProcessCommandLineLength
The length, in characters, of the string in the ProcessCommandLine field.

ProcessCommandLine
The full command line of the process that triggered the event.

ProcessId
The process ID of the process that triggered the event.

ProcessCreateTime
The creation time of the process that triggered the event.

ProcessStartKey
See section above.

ProcessSignatureLevel
See section above.

ProcessSectionSignatureLevel
See section above.

ProcessProtection
See section above.

TargetThreadId
The thread ID of the thread responsible for triggering the event. This field is populated from ETHREAD.Cid.UniqueThread.

TargetThreadCreateTime
The creation time of the thread responsible for triggering the event. This field is populated from ETHREAD.CreateTime.

ImageNameLength
The length, in characters, of the string in the ImageName field.

ImageName
The name of the image that attempted to load with low integrity.

Non-Microsoft Binary Load Events

Event ID 11 - Audit: A non-Microsoft-signed binary would have been loaded.
Message: “Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'."
Level: 0 (Log Always)
Function that generates the event: ntoskrnl!EtwTimLogProhibitNonMicrosoftBinaries
Description: This event is logged any time a PE is loaded into a process that is not Microsoft-signed.

Event ID 12 - Enforce: A non-Microsoft-signed binary was prevented from loading.
Message: “Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'."
Level: 3 (Warning)
Function that generates the event: ntoskrnl!EtwTimLogProhibitNonMicrosoftBinaries

Event Properties
ProcessPathLength
The length, in characters, of the string in the ProcessPath field.

ProcessPath
The full path (represented as a device path) of the host process binary into which a non-MSFT binary attempted to load.

ProcessCommandLineLength
The length, in characters, of the string in the ProcessCommandLine field.

ProcessCommandLine
The full command line of the process into which a non-MSFT binary attempted to load.

ProcessId
The process ID of the process into which a non-MSFT binary attempted to load.

ProcessCreateTime
The creation time of the process into which a non-MSFT binary attempted to load.

ProcessStartKey
See section above.

ProcessSignatureLevel
See section above.

ProcessSectionSignatureLevel
See section above.

ProcessProtection
See section above.

TargetThreadId
The thread ID of the thread responsible for attempting to load the non-MSFT binary. This field is populated from ETHREAD.Cid.UniqueThread.

TargetThreadCreateTime
The creation time of the thread responsible for attempting to load the non-MSFT binary. This field is populated from ETHREAD.CreateTime.

RequiredSignatureLevel
The minimum signature level being imposed by WDEG. The same values as ProcessSignatureLevel are supported. This value will either be 8 in the case of Microsoft-signed binaries only or 6 in the case where Store images are permitted.

SignatureLevel
The validated signature level of the image present in the ImageName field. The same values as ProcessSignatureLevel are supported. A value less than RequiredSignatureLevel indicates the reason why EID 11/12 was logged in the first place. When this event is logged, SignatureLevel will always be less than RequiredSignatureLevel.

ImageNameLength
The length, in characters, of the string in the ImageName field.

ImageName
The full path to the image that attempted to load into the host process.

Event Log: Microsoft-Windows-Security-Mitigations/UserMode

Export/Import Address Table Access Filtering (EAF/IAF) Events

Event ID 13 - EAF mitigation audited
Message: “Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'."
Level: 0 (Log Always)
Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage
Description: The export address table was accessed by code that is not backed by an image on disk - i.e. injected shellcode is the likely culprit for access the EAT.

Event ID 14 - EAF mitigation enforced
“Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'."
Level: 3 (Warning)
Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage

Event ID 15 - EAF+ mitigation audited
Message: “Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'."
Level: 0 (Log Always)
Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage
Description: The export address table was accessed by code that is not backed by an image on disk and via many other improved heuristics - i.e. injected shellcode is the likely culprit for access the EAT.

Event ID 16 - EAF+ mitigation enforced
Message: “Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'."
Level: 3 (Warning)
Function that generates the event: PayloadRestrictions!MitLibValidateAccessToProtectedPage

Event ID 17 - IAF mitigation audited
Message: “Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'."
Level: 0 (Log Always)
Function that generates the event: PayloadRestrictions!MitLibProcessIAFGuardPage
Description: The import address table was accessed by code that is not backed by an image on disk.

Event ID 18 - IAF mitigation enforced
Message: “Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'."
Level: 3 (Warning)
Function that generates the event: PayloadRestrictions!MitLibProcessIAFGuardPage

Event Properties
Subcode
Specifies a value in the range of 1-4 that indicates how how the event was triggered.

  • 1 - Indicates that the classic EAF mitigation was triggered. This subcode is used if the instruction pointer address used to access the EAF does not map to a DLL that was loaded from disk (ntdll!RtlPcToFileHeader (https://docs.microsoft.com/en-us/windows/desktop/api/winnt/nf-winnt-rtlpctofileheader) is used to make this determination).
  • 2 - Indicates that the stack registers ([R|S]P and [R|E]BP) fall outside the stack extent of the current thread. This is one of the EAF+ mitigations.
  • 3 - Indicates that a memory reader gadget was used to access the EAF. PayloadRestrictions.dll statically links a disassembler library that attempts to make this determination. This is one of the EAF+ mitigations.
  • 4 - Indicates that the IAF mitigation triggered. This also implies that the APIName property will be populated.

ProcessPath
The full path of the process in which the EAF/IAF mitigation triggered.

ProcessId
The process ID of the process in which the EAF/IAF mitigation triggered.

ModuleFullPath
The full path of the module that caused the mitigation to trigger. This value will be empty if the subcode value is 1.

ModuleBase
The base address of the module that caused the mitigation to trigger. This value will be 0 if the subcode value is 1.

ModuleAddress
The instruction pointer address ([R|E]IP) upon the mitigation triggering. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation.

MemAddress
The virtual address that was accessed within a protected module that triggered a guard page exception. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation.

MemModuleFullPath
The full path of the protected module that was accessed. This string is obtained from LDR_DATA_TABLE_ENTRY.FullDllName in the PEB. This property is only relevant to the EAF mitigations. It does not apply to the IAF mitigation.

MemModuleBase
The base address of the protected module that was accessed.

APIName
The blacklisted export function name that was accessed. This property is only applicable to the IAF mitigation. The following APIs are included in the blacklist: GetProcAddressForCaller, LdrGetProcedureAddress, LdrGetProcedureAddressEx, CreateProcessAsUserA, CreateProcessAsUserW, GetModuleHandleA, GetModuleHandleW, RtlDecodePointer, DecodePointer.

ProcessStartTime
The creation time of the process specified in ProcessPath/ProcessId. The process time is obtained by calling NtQueryInformationProcess (https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess) with ProcessTimes as the ProcessInformationClass argument. The process time is obtained from the CreateTime field of the KERNEL_USER_TIMES structure.

ThreadId
The thread ID of the thread that generated the event.

Return-Oriented Programming (ROP) Events

Event ID 19 - ROP mitigation audited: Stack Pivot
Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.
Level: 0 (Log Always)
Function that generates the event: PayloadRestrictions!MitLibNotifyStackPivotViolation
Description: A ROP stack pivot was detection by observing that the stack pointer fell outside the stack extent (stack base and stack limit) for the current thread.

Event ID 20 - ROP mitigation enforced: Stack Pivot
Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.
Level: 3 (Warning)
Function that generates the event: PayloadRestrictions!MitLibNotifyStackPivotViolation

Event ID 21 - ROP mitigation audited: Caller Checks
Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.
Level: 0 (Log Always)
Function that generates the event: PayloadRestrictions!MitLibRopCheckCaller
Description: This event is logged if one of the functions listed in the HookedAPI section below was not called with a call instruction - e.g. called with via a RET instruction.

Event ID 22 - ROP mitigation enforced: Caller Checks
Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.
Level: 3 (Warning)
Function that generates the event: PayloadRestrictions!MitLibRopCheckCaller

Event ID 23 - ROP mitigation audited: Simulate Execution Flow
Message: Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.
Level: 0 (Log Always)
Function that generates the event: PayloadRestrictions!MitLibRopCheckSimExecFlow
Description: The simulate execution flow mitigation simulates continued execution of any of the functions listed in HookedAPI section and if any of the return logic along the stack resembles ROP behavior, this event is triggered.

Event ID 24 - ROP mitigation enforced: Simulate Execution Flow
Message: Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.
Level: 3 (Warning)
Function that generates the event: PayloadRestrictions!MitLibRopCheckSimExecFlow

Event Properties
Subcode
Specifies a value in the range of 5-7 that indicates how how the event was triggered.

  • 5 - Indicates that the stack pivot ROP mitigation was triggered.
  • 6 - Indicates that the “caller checks" ROP mitigation was triggered.
  • 7 - Indicates that the “simulate execution flow" ROP mitigation was triggered.

ProcessPath
The full path of the process in which the ROP mitigation triggered.

ProcessId
The process ID of the process in which the ROP mitigation triggered.

HookedAPI
The name of the monitored API that triggered the event. The following hooked APIs are monitored: LoadLibraryA, LoadLibraryW, LoadLibraryExA, LoadLibraryExW, LdrLoadDll, VirtualAlloc, VirtualAllocEx, NtAllocateVirtualMemory, VirtualProtect, VirtualProtectEx, NtProtectVirtualMemory, HeapCreate, RtlCreateHeap, CreateProcessA, CreateProcessW, CreateProcessInternalA, CreateProcessInternalW, NtCreateUserProcess, NtCreateProcess, NtCreateProcessEx, CreateRemoteThread, CreateRemoteThreadEx, NtCreateThreadEx, WriteProcessMemory, NtWriteVirtualMemory, WinExec, LdrGetProcedureAddressForCaller, GetProcAddress, GetProcAddressForCaller, LdrGetProcedureAddress, LdrGetProcedureAddressEx, CreateProcessAsUserA, CreateProcessAsUserW, GetModuleHandleA, GetModuleHandleW, RtlDecodePointer, DecodePointer

ReturnAddress
I was unable to spend too much time reversing PayloadRestrictions.dll to how this property is populated but based on fired events and inference, this property indicates the return address for the current stack frame that triggered the ROP event. A return address that pointed to an address in the stack or to an address of another ROP gadget (a small sequence of instructions followed by a return instruction) would be considered suspicious.

CalledAddress
This appears to be the address of the hooked, blacklisted API that was called by the potential ROP chain.

TargetAddress
This value appears to be the target call/jump address of the ROP gadget to which control was to be transferred via non-traditional means. The TargetAddress value is zero when the “simulate execution flow" ROP mitigation was triggered.

StackAddress
The stack address triggering the stack pivot ROP mitigation. This value only populated with the stack pivot ROP mitigation. The StackAddress value is zero when the “simulate execution flow" and “caller checks" ROP mitigations are triggered. When StackAddress is populated, it would indicate that the stack address falls outside the stack extent (NT_TIB StackBase/StackLimit range) for the current thread.

FrameAddress
This value is zeroed out in code so it is unclear what it’s intended purpose is.

ReturnAddressModuleFullPath
The full path of the module that is backed by the ReturnAddress property (via ntdll!RtlPcToFileHeader and ntdll!LdrGetDllFullName). If ReturnAddress is not backed by a disk-backed module, this property will be empty.

ProcessStartTime
The creation time of the process specified in ProcessPath/ProcessId. The process time is obtained by calling NtQueryInformationProcess (https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess) with ProcessTimes as the ProcessInformationClass argument. The process time is obtained from the CreateTime field of the KERNEL_USER_TIMES structure.

ThreadId
The thread ID of the thread that generated the event.

Event Log: Microsoft-Windows-Win32k/Operational

Event ID 260 - A GDI-based font not installed in the system fonts directory was prevented from being loaded
Message: “%1 attempted loading a font that is restricted by font loading policy.
FontType: %2
FontPath: %3
Blocked: %4"
Level: 0 (Log Always)
Function that generates the event: win32kbase!EtwFontLoadAttemptEvent
Description: This mitigation is detailed in this blog post (http://blogs.360.cn/post/windows10_font_security_mitigations.html).

Event Properties
SourceProcessName
Specifies the name of the process that attempted to load the font.

SourceType
Refers to an undocumented W32KFontSourceType enum that based on calls to win32kfull!ScrutinizeFontLoad can be any of the following values:

  • 0 - “LoadPublicFonts" - Supplied via win32kfull!bCreateSectionFromHandle ()
  • 1 - “LoadMemFonts" - Supplied via win32kfull!PUBLIC_PFTOBJ::hLoadMemFonts
  • 2 - “LoadRemoteFonts" - Supplied via win32kfull!PUBLIC_PFTOBJ::bLoadRemoteFonts
  • 3 - “LoadDeviceFonts" - Supplied via win32kfull!DEVICE_PFTOBJ::bLoadFonts

FontSourcePath
Specifies the path to the font that attempted to load.

Blocked
A value of 1 specifies that the font was blocked from loading. A value of 0 indicates that the font was allowed to load but was logged.

Event Log: System

Event ID 5 - Control Flow Guard (CFG) Violation
Event source: Microsoft-Windows-WER-Diag
Message: “CFG violation is detected."
Level: 0 (Log Always)
Function that generates the event: werfault!CTIPlugin::NotifyCFGViolation
Description: A description of the CFG mitigation can be found here (https://docs.microsoft.com/en-us/windows/desktop/SecBP/control-flow-guard). Specific event field documentation could not be completed in a reasonable amount of time.

Event Properties

AppPath
ProcessId
ProcessStartTime
Is64Bit
CallReturnAddress
CallReturnModName
CallReturnModOffset
CallReturnInstructionBytesLength
CallReturnInstructionBytes
CallReturnBaseAddress
CallReturnRegionSize
CallReturnState
CallReturnProtect
CallReturnType
TargetAddress
TargetModName
TargetModOffset
TargetInstructionBytesLength
TargetInstructionBytes
TargetBaseAddress
TargetRegionSize
TargetState
TargetProtect
TargetType

More Repositories

1

blueprint

A React-based UI toolkit for the web
TypeScript
19,885
star
2

tslint

🚦 An extensible linter for the TypeScript language
TypeScript
5,916
star
3

plottable

📊 A library of modular chart components built on D3
TypeScript
2,926
star
4

python-language-server

An implementation of the Language Server Protocol for Python
Python
2,579
star
5

windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Roff
1,186
star
6

pyspark-style-guide

This is a guide to PySpark code style presenting common situations and the associated best practices based on the most frequent recurring topics across the PySpark repos we've encountered.
Python
945
star
7

osquery-configuration

A repository for using osquery for incident detection and response
800
star
8

tslint-react

📙 Lint rules related to React & JSX for TSLint.
TypeScript
752
star
9

bulldozer

GitHub Pull Request Auto-Merge Bot
Go
725
star
10

gradle-docker

a Gradle plugin for orchestrating docker builds and pushes.
Groovy
723
star
11

policy-bot

A GitHub App that enforces approval policies on pull requests
Go
700
star
12

alerting-detection-strategy-framework

A framework for developing alerting and detection strategies for incident response.
610
star
13

stacktrace

Stack traces for Go errors
Go
498
star
14

docker-compose-rule

A JUnit rule to manage docker containers using docker-compose
Java
422
star
15

conjure

Strongly typed HTTP/JSON APIs for browsers and microservices
Java
393
star
16

palantir-java-format

A modern, lambda-friendly, 120 character Java formatter.
Java
373
star
17

eclipse-typescript

An Eclipse plug-in for developing in the TypeScript language.
JavaScript
341
star
18

gradle-git-version

a Gradle plugin that uses `git describe` to produce a version string.
Java
339
star
19

go-githubapp

A simple Go framework for building GitHub Apps
Go
317
star
20

godel

Go tool for formatting, checking, building, distributing and publishing projects
Go
304
star
21

gradle-baseline

A set of Gradle plugins that configure default code quality tools for developers.
Java
283
star
22

jamf-pro-scripts

A collection of scripts and extension attributes created for managing Mac workstations via Jamf Pro.
Shell
277
star
23

gradle-graal

A plugin for Gradle that adds tasks to download, extract and interact with GraalVM tooling.
Java
225
star
24

log4j-sniffer

A tool that scans archives to check for vulnerable log4j versions
Go
193
star
25

tfjson

Terraform plan file to JSON
Go
182
star
26

k8s-spark-scheduler

A Kubernetes Scheduler Extender to provide gang scheduling support for Spark on Kubernetes
Go
175
star
27

Sysmon

A lightweight platform monitoring tool for Java VMs
Java
155
star
28

typesettable

📐 A typesetting library for SVG and Canvas
TypeScript
146
star
29

documentalist

📝 A sort-of-static site generator optimized for living documentation of software projects
TypeScript
145
star
30

bouncer

An application to cycle (bounce) all nodes in a coordinated fashion in an AWS ASG or set of related ASGs
Go
130
star
31

gradle-consistent-versions

Compact, constraint-friendly lockfiles for your dependencies
Java
111
star
32

Cinch

A Java library that manages component action/event bindings for MVC patterns
Java
110
star
33

redoodle

An addon library for Redux that enhances its integration with TypeScript.
TypeScript
99
star
34

gradle-jacoco-coverage

Groovy
99
star
35

sqlite3worker

A threadsafe sqlite worker for Python
Python
94
star
36

phishcatch

A browser extension and API server for detecting corporate password use on external websites
CSS
83
star
37

python-jsonrpc-server

A Python 2 and 3 asynchronous JSON RPC server
Python
80
star
38

conjure-java-runtime

Opinionated libraries for HTTP&JSON-based RPC using Retrofit, Feign, OkHttp as clients and Jetty/Jersey as servers
Java
78
star
39

stashbot

A plugin for Atlassian Stash to allow easy, self-service continuous integration with Jenkins
Java
67
star
40

go-baseapp

A lightweight starting point for Go web servers
Go
67
star
41

stash-codesearch-plugin

Provides global repository, commit, and file content search for Atlassian Stash instances
Java
62
star
42

gradle-processors

Gradle plugin for integrating Java annotation processors
Groovy
62
star
43

go-java-launcher

A simple Go program for launching Java programs from a fixed configuration. This program replaces Gradle-generated Bash launch scripts which are susceptible to attacks via injection of environment variables of the form JAVA_OPTS='$(rm -rf /)'.
Go
59
star
44

pkg

A collection of stand-alone Go packages
Go
53
star
45

rust-zipkin

A library for logging and propagating Zipkin trace information in Rust
Rust
53
star
46

grunt-tslint

A Grunt plugin for tslint.
JavaScript
51
star
47

witchcraft-go-server

A highly opinionated Go embedded application server for RESTy APIs
Go
50
star
48

spark-influx-sink

A Spark metrics sink that pushes to InfluxDb
Scala
50
star
49

giraffe

Gracefully Integrated Remote Access For Files and Execution
Java
49
star
50

language-servers

[Deprecated and No longer supported] A collection of implementations for the Microsoft Language Server Protocol
Java
46
star
51

go-license

Go tool that applies and verifies that proper license headers are applied to Go files
Go
44
star
52

hadoop-crypto

Library for per-file client-side encyption in Hadoop FileSystems such as HDFS or S3.
Java
41
star
53

tritium

Tritium is a library for instrumenting applications to provide better observability at runtime
Java
39
star
54

sls-packaging

A set of Gradle plugins for creating SLS-compatible packages
Shell
38
star
55

roboslack

A pluggable, fluent, straightforward Java library for interacting with Slack.
Java
37
star
56

dropwizard-web-security

A Dropwizard bundle for applying default web security functionality
Java
37
star
57

goastwriter

Go library for writing Go source code programatically
Go
31
star
58

gradle-gitsemver

Java
31
star
59

palantir-python-sdk

Palantir Python SDK
Python
30
star
60

gradle-revapi

Gradle plugin that uses Revapi to check whether you have introduced API/ABI breaks in your Java public API
Java
29
star
61

checks

Go libraries and programs for performing static checks on Go projects
Go
29
star
62

gradle-circle-style

🚀🚀🚀MOVED TO Baseline
Java
28
star
63

trove

Patched version of the Trove 3 library - changes the Collections semantics to match proper java.util.Map semantics
Java
27
star
64

dialogue

A client-side RPC library for conjure-java
Java
27
star
65

atlasdb

Transactional Distributed Database Layer
Java
27
star
66

stylelint-config-palantir

Palantir's stylelint config
JavaScript
25
star
67

typedjsonrpc

A typed decorator-based JSON-RPC library for Python
Python
24
star
68

encrypted-config-value

Tooling for encrypting certain configuration parameter values in dropwizard apps
Java
22
star
69

typescript-service-generator

Java
21
star
70

streams

Utilities for working with Java 8 streams
Java
21
star
71

distgo

Go tool for building, distributing and publishing Go projects
Go
21
star
72

gradle-npm-run-plugin

Groovy
20
star
73

conjure-python

Conjure generator for Python clients
Java
19
star
74

conjure-java

Conjure generator for Java clients and servers
Java
19
star
75

amalgomate

Go tool for combining multiple different main packages into a single program or library
Go
19
star
76

serde-encrypted-value

A crate which wraps Serde deserializers and decrypts values
Rust
19
star
77

gradle-docker-test-runner

Gradle plugin for running tests in Docker environments
Groovy
19
star
78

gerrit-ci

Plugin for Gerrit enabling self-service continuous integration workflows with Jenkins.
Java
18
star
79

conjure-rust

Conjure support for Rust
Rust
18
star
80

conjure-typescript

Conjure generator for TypeScript clients
TypeScript
17
star
81

gpg-tap-notifier-macos

Show a macOS notification when GPG is waiting for you to tap/touch a security device (e.g. YubiKey).
Swift
17
star
82

tracing-java

Java library providing zipkin-like tracing functionality
Java
16
star
83

plottable-moment

Plottable date/time formatting library built on Moment.js
JavaScript
16
star
84

spark-tpcds-benchmark

Utility for benchmarking changes in Spark using TPC-DS workloads
Java
16
star
85

assertj-automation

Automatic code rewriting for AssertJ using error-prone and refaster
Java
15
star
86

metric-schema

Schema for standard metric definitions
Java
14
star
87

safe-logging

Interfaces and utilities for safe log messages
Java
14
star
88

resource-identifier

Common resource identifier specification for inter-application object sharing
Java
14
star
89

dropwizard-web-logger

WebLoggerBundle is a Dropwizard bundle used to help log web activity to log files on a server’s backend
Java
14
star
90

gradle-shadow-jar

Gradle plugin to precisely shadow either a dependency or its transitives
Groovy
14
star
91

gradle-miniconda-plugin

Plugin that sets up a Python environment for building and running tests using Miniconda.
Java
13
star
92

conjure-go-runtime

Go implementation of the Conjure runtime
Go
12
star
93

gulp-count

Counts files in vinyl streams.
CoffeeScript
12
star
94

gradle-configuration-resolver-plugin

Groovy
12
star
95

asana_mailer

A script that uses Asana's RESTful API to generate plaintext and HTML emails.
Python
12
star
96

human-readable-types

A collection of human-readable types
Java
11
star
97

dropwizard-index-page

A Dropwizard bundle that serves the index page for a single page application
Java
11
star
98

eclipse-less

An Eclipse plug-in for compiling LESS files.
Java
11
star
99

go-compiles

Go check that checks that Go source and tests compiles
Go
11
star
100

go-generate

Go tool that runs and verifies the output of go generate
Go
11
star