Microsoft-Windows-Security-Mitigations

36 events across 2 channels

Event	Title	Channel	Sample
1	Process 'ProcessPath' (PID CallingProcessId) would have been blocked from …	KernelMode	Y
2	Process 'ProcessPath' (PID CallingProcessId) was blocked from generating dynamic …	KernelMode	Y
3	Process 'ProcessPath' (PID CallingProcessId) would have been blocked from …	KernelMode	Y
4	Process 'ProcessPath' (PID CallingProcessId) was blocked from creating a child …	KernelMode	Y
5	Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the …	KernelMode	N
6	Process 'ProcessPath' (PID ProcessId) was blocked from loading the low-integrity …	KernelMode	N
7	Process 'ProcessPath' (PID CallingProcessId) would have been blocking from …	KernelMode	N
8	Process 'ProcessPath' (PID CallingProcessId) was blocked from loading a binary …	KernelMode	N
9	Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making …	KernelMode	N
10	Process 'ProcessPath' (PID CallingProcessId) was blocked from making system …	KernelMode	Y
11	Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the …	KernelMode	N
12	Process 'ProcessPath' (PID ProcessId) was blocked from loading the …	KernelMode	Y
13	Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the …	UserMode	N
14	Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export …	UserMode	N
15	Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the …	UserMode	N
16	Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export …	UserMode	N
17	Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the …	UserMode	N
18	Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Import …	UserMode	N
19	Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the …	UserMode	N
20	Process 'ProcessPath' (PID ProcessId) was blocked from calling the API …	UserMode	N
21	Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the …	UserMode	N
22	Process 'ProcessPath' (PID ProcessId) was blocked from calling the API …	UserMode	N
23	Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the …	UserMode	N
24	Process 'ProcessPath' (PID ProcessId) was blocked from calling the API …	UserMode	N
25	Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return …	KernelMode	N
26	Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return …	KernelMode	N
27	Process 'ProcessPath' (PID ProcessId) would have been blocked from setting …	KernelMode	N
28	Process 'ProcessPath' (PID ProcessId) was blocked from setting context due to …	KernelMode	N
29	Process 'ProcessPath' (PID ProcessId) would have been blocked from loading an …	KernelMode	N
30	Process 'ProcessPath' (PID ProcessId) was blocked from loading an image binary …	KernelMode	N
31	Process 'Arguments' (PID Impersonating) would have been blocked from following …	KernelMode	N
32	Process 'Arguments' (PID Impersonating) was blocked from following an untrusted …	KernelMode	N
33	The system has encountered a kernel-mode shadow stack return address mismatch.	KernelMode	N
34	The system has encountered a kernel-mode shadow stack return address mismatch.	KernelMode	N
35	Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making …	KernelMode	N
36	Process 'ProcessPath' (PID CallingProcessId) was blocked from making the …	KernelMode	N

Event ID 1: Process 'ProcessPath' (PID CallingProcessId) would have been blocked from generating dynamic code.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from generating dynamic code.

Message #

Process '%2' (PID %5) would have been blocked from generating dynamic code.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "{FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF}",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 0,
    "task": 1,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:33:27.7050527+00:00",
    "event_record_id": 67,
    "correlation": {},
    "execution": {
      "process_id": 3448,
      "thread_id": 5600
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessPathLength": "52",
    "ProcessPath": "\\Device\\HarddiskVolume1\\Windows\\System32\\spoolsv.exe",
    "ProcessCommandLineLength": "31",
    "ProcessCommandLine": "C:\\Windows\\System32\\spoolsv.exe",
    "CallingProcessId": "3448",
    "CallingProcessCreateTime": "2026-05-29T16:33:03.3624351Z",
    "CallingProcessStartKey": "4222124650659908",
    "CallingProcessSignatureLevel": "0",
    "CallingProcessSectionSignatureLevel": "0",
    "CallingProcessProtection": "0",
    "CallingThreadId": "5600",
    "CallingThreadCreateTime": "2026-05-29T16:33:27.7046692Z"
  },
  "message": "Process '\\Device\\HarddiskVolume1\\Windows\\System32\\spoolsv.exe' (PID 3448) would have been blocked from generating dynamic code."
}

Event ID 2: Process 'ProcessPath' (PID CallingProcessId) was blocked from generating dynamic code.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Level: Warning
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from generating dynamic code.

Message #

Process '%2' (PID %5) was blocked from generating dynamic code.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:01:34.932541+00:00",
    "event_record_id": 88,
    "correlation": {},
    "execution": {
      "process_id": 11664,
      "thread_id": 10404
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ProcessPathLength": 59,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\TeamViewer\\tv_x64.exe",
    "ProcessCommandLineLength": 192,
    "ProcessCommandLine": "\"C:\\Program Files\\TeamViewer\\tv_x64.exe\" --action installpnpdriver --inf \"C:\\Program Files\\TeamViewer\\x64\\TVVirtualMonitorDriver.inf\" --log \"C:\\Program Files\\TeamViewer\\TeamViewer15_Hooks.log\"",
    "CallingProcessId": 11664,
    "CallingProcessCreateTime": "2023-11-06T01:01:34.836839Z",
    "CallingProcessStartKey": 3659174697240700,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 10404,
    "CallingThreadCreateTime": "2023-11-06T01:01:34.836843Z"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3: Process 'ProcessPath' (PID CallingProcessId) would have been blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.

Message #

Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.
`ChildImagePathNameLength` UInt16
`ChildImagePathName` UnicodeString
`ChildCommandLineLength` UInt16
`ChildCommandLine` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 0,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-26T04:19:22.802481+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 2524,
      "thread_id": 452
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessPathLength": 52,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Windows\\System32\\spoolsv.exe",
    "ProcessCommandLineLength": 31,
    "ProcessCommandLine": "C:\\Windows\\System32\\spoolsv.exe",
    "CallingProcessId": 2524,
    "CallingProcessCreateTime": "2023-10-26T04:17:19.791140Z",
    "CallingProcessStartKey": 281474976710715,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 452,
    "CallingThreadCreateTime": "2023-10-26T04:19:20.206505Z",
    "ChildImagePathNameLength": 32,
    "ChildImagePathName": "C:\\Windows\\SysWOW64\\regsvr32.exe",
    "ChildCommandLineLength": 73,
    "ChildCommandLine": "C:\\Windows\\SysWOW64\\regsvr32.exe /s \"C:\\Windows\\SysWOW64\\PrintConfig.dll\""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4: Process 'ProcessPath' (PID CallingProcessId) was blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Level: Warning
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.

Message #

Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.
`ChildImagePathNameLength` UInt16
`ChildImagePathName` UnicodeString
`ChildCommandLineLength` UInt16
`ChildCommandLine` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 3,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:47.998503+00:00",
    "event_record_id": 3000,
    "correlation": {},
    "execution": {
      "process_id": 6084,
      "thread_id": 6236
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ProcessPathLength": 94,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\Windows Defender Advanced Threat Protection\\SenseNdr.exe",
    "ProcessCommandLineLength": 512,
    "ProcessCommandLine": "\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseNdr.exe\"  \"eyJDbGllbnRWZXIiOiIxMC44MjEwLjIyNjIxLjQ1NyIsIkNvbXBvbmVudHMiOlt7IkFkYXB0ZXJJZCI6Ins4QTE3NjBCNi1EQzk5LTRCOTAtOUM0QS0wMjk2OThFNUFFMjd9IiwiQ2F0ZWdvcnkiOjIsIkRlZmF1bHRHYXRld2F5cyI6W3siQWRkcmVzcyI6IjEwLjIuMTAuMjU0IiwiTUFDIjoiYmM6MjQ6MTE6MjI6NWI6NTcifV0sIkRvbWFpblR5cGUiOjAsIklwQWRkcmVzc2VzIjpbeyJBZGRyZXNzIjoiMTAuMi4xMC4yMSIsIk1BU0siOjI0fV0sIk5ldE5hbWUiOiJOZXR3b3JrIDIiLCJQaHlzaWNhbEFkZHIiOiJiYzI0MTE5YTRkYzIiLCJQa3RNb25JZCI6MSwiUmVnaXN0cn",
    "CallingProcessId": 6084,
    "CallingProcessCreateTime": "2026-03-11T06:27:47.450908Z",
    "CallingProcessStartKey": 4222124650660002,
    "CallingProcessSignatureLevel": 8,
    "CallingProcessSectionSignatureLevel": 8,
    "CallingProcessProtection": 0,
    "CallingThreadId": 6236,
    "CallingThreadCreateTime": "2026-03-11T06:27:47.450927Z",
    "ChildImagePathNameLength": 35,
    "ChildImagePathName": "\\??\\C:\\Windows\\system32\\conhost.exe",
    "ChildCommandLineLength": 55,
    "ChildCommandLine": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
  },
  "message": ""
}

Event ID 5: Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the low-integrity binary 'ImageName'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the low-integrity binary 'ImageName'.

Message #

Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`TargetThreadId` UInt32	Thread ID in the target process.
`TargetThreadCreateTime` FILETIME	Creation timestamp of the target thread.
`ImageNameLength` UInt16
`ImageName` UnicodeString

Event ID 6: Process 'ProcessPath' (PID ProcessId) was blocked from loading the low-integrity binary 'ImageName'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP

Description

Process 'ProcessPath' (PID ProcessId) was blocked from loading the low-integrity binary 'ImageName'.

Message #

Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`TargetThreadId` UInt32	Thread ID in the target process.
`TargetThreadCreateTime` FILETIME	Creation timestamp of the target thread.
`ImageNameLength` UInt16
`ImageName` UnicodeString

Event ID 7: Process 'ProcessPath' (PID CallingProcessId) would have been blocking from loading a binary from a remote share.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocking from loading a binary from a remote share.

Message #

Process '%2' (PID %5) would have been blocking from loading a binary from a remote share.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Event ID 8: Process 'ProcessPath' (PID CallingProcessId) was blocked from loading a binary from a remote share.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from loading a binary from a remote share.

Message #

Process '%2' (PID %5) was blocked from loading a binary from a remote share.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Event ID 9: Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making system calls to Win32k.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making system calls to Win32k.sys.

Message #

Process '%2' (PID %5) would have been blocked from making system calls to Win32k.sys.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Event ID 10: Process 'ProcessPath' (PID CallingProcessId) was blocked from making system calls to Win32k.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Level: Warning
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from making system calls to Win32k.sys.

Message #

Process '%2' (PID %5) was blocked from making system calls to Win32k.sys.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 10,
    "version": 0,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:55:30.233087+00:00",
    "event_record_id": 194,
    "correlation": {},
    "execution": {
      "process_id": 17736,
      "thread_id": 9464
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ProcessPathLength": 65,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\Mozilla Firefox\\firefox.exe",
    "ProcessCommandLineLength": 412,
    "ProcessCommandLine": "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -contentproc --channel=7928 -childID 13 -isForBrowser -prefsHandle 7924 -prefMapHandle 7272 -prefsLen 37923 -prefMapSize 235045 -jsInitHandle 1588 -jsInitLen 235336 -parentBuildID 20231019122658 -win32kLockedDown -appDir \"C:\\Program Files\\Mozilla Firefox\\browser\" - {9095c7bc-c09b-4e88-a55a-1b4a7ff727a7} 4148 \"\\\\.\\pipe\\gecko-crash-server-pipe.4148\" 22025387bd0 tab",
    "CallingProcessId": 17736,
    "CallingProcessCreateTime": "2023-11-06T01:55:29.635202Z",
    "CallingProcessStartKey": 3659174697241340,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 9464,
    "CallingThreadCreateTime": "2023-11-06T01:55:29.635208Z"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11: Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.

Message #

Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'.

Fields #

Name	Description	Rules
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString		2 detection rules
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`TargetThreadId` UInt32	Thread ID in the target process.
`TargetThreadCreateTime` FILETIME	Creation timestamp of the target thread.
`RequiredSignatureLevel` UInt8
`SignatureLevel` UInt8	Code integrity signing level of the process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`ImageNameLength` UInt16
`ImageName` UnicodeString		6 detection rules

Detection Patterns #

Stealth: DLL

Security-Mitigations Event ID 11: Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.OREvent ID 12: Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

2 rules

Sigma

Microsoft Defender Blocked from Loading Unsigned DLL (source)

Bhabesh Raj

Unsigned Binary Loaded From Suspicious Location (source)

Nasreddine Bencherchali (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Image`	contains	`\appdata\local\temp\`	1 rule	sigma
`Image`	contains	`\desktop\`	1 rule	sigma
`Image`	contains	`\downloads\`	1 rule	sigma
`Image`	contains	`\perflogs\`	1 rule	sigma
`Image`	contains	`\users\public\`	1 rule	sigma
`Image`	contains	`c:\windows\temp\`	1 rule	sigma

Event ID 12: Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Level: Warning
Collection Priority: Recommended (JSCU-NL)
Task: KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES

Description

Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

Message #

Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`TargetThreadId` UInt32	Thread ID in the target process.
`TargetThreadCreateTime` FILETIME	Creation timestamp of the target thread.
`RequiredSignatureLevel` UInt8
`SignatureLevel` UInt8	Code integrity signing level of the process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`ImageNameLength` UInt16
`ImageName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "{FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF}",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 3,
    "task": 6,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T05:39:33.8737054+00:00",
    "event_record_id": 71,
    "correlation": {},
    "execution": {
      "process_id": 4084,
      "thread_id": 7332
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessPathLength": "99",
    "ProcessPath": "\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26040.7-0\\MpCmdRun.exe",
    "ProcessCommandLineLength": "132",
    "ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26040.7-0\\MpCmdRun.exe\" Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob",
    "ProcessId": "4084",
    "ProcessCreateTime": "2026-06-13T05:39:30.8781793Z",
    "ProcessStartKey": "4222124650660460",
    "ProcessSignatureLevel": "8",
    "ProcessSectionSignatureLevel": "8",
    "ProcessProtection": "0",
    "TargetThreadId": "7332",
    "TargetThreadCreateTime": "2026-06-13T05:39:33.0602578Z",
    "RequiredSignatureLevel": "8",
    "SignatureLevel": "0",
    "ImageNameLength": "33",
    "ImageName": "\\Windows\\System32\\rpcFireWall.dll"
  },
  "message": "Process '\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26040.7-0\\MpCmdRun.exe' (PID 4084) was blocked from loading the non-Microsoft-signed binary '\\Windows\\System32\\rpcFireWall.dll'."
}

Detection Patterns #

Stealth: DLL

2 rules

Sigma

Microsoft Defender Blocked from Loading Unsigned DLL (source)

Bhabesh Raj

Unsigned Binary Loaded From Suspicious Location (source)

Nasreddine Bencherchali (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Image`	contains	`\appdata\local\temp\`	1 rule	sigma
`Image`	contains	`\desktop\`	1 rule	sigma
`Image`	contains	`\downloads\`	1 rule	sigma
`Image`	contains	`\perflogs\`	1 rule	sigma
`Image`	contains	`\users\public\`	1 rule	sigma
`Image`	contains	`c:\windows\temp\`	1 rule	sigma

Event ID 13: Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`ModuleFullPath` UnicodeString
`ModuleBase` Pointer
`ModuleAddress` Pointer
`MemAddress` Pointer
`MemModuleFullPath` UnicodeString
`MemModuleBase` Pointer
`APIName` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 14: Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER

Description

Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`ModuleFullPath` UnicodeString
`ModuleBase` Pointer
`ModuleAddress` Pointer
`MemAddress` Pointer
`MemModuleFullPath` UnicodeString
`MemModuleBase` Pointer
`APIName` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 15: Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`ModuleFullPath` UnicodeString
`ModuleBase` Pointer
`ModuleAddress` Pointer
`MemAddress` Pointer
`MemModuleFullPath` UnicodeString
`MemModuleBase` Pointer
`APIName` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 16: Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS

Description

Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`ModuleFullPath` UnicodeString
`ModuleBase` Pointer
`ModuleAddress` Pointer
`MemAddress` Pointer
`MemModuleFullPath` UnicodeString
`MemModuleBase` Pointer
`APIName` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 17: Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Import Address Table for API 'APIName'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Import Address Table for API 'APIName'.

Message #

Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`ModuleFullPath` UnicodeString
`ModuleBase` Pointer
`ModuleAddress` Pointer
`MemAddress` Pointer
`MemModuleFullPath` UnicodeString
`MemModuleBase` Pointer
`APIName` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 18: Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Import Address Table for API 'APIName'.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER

Description

Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Import Address Table for API 'APIName'.

Message #

Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`ModuleFullPath` UnicodeString
`ModuleBase` Pointer
`ModuleAddress` Pointer
`MemAddress` Pointer
`MemModuleFullPath` UnicodeString
`MemModuleBase` Pointer
`APIName` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 19: Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_ROP_STACKPIVOT

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`HookedAPI` UnicodeString
`ReturnAddress` Pointer
`CalledAddress` Pointer
`TargetAddress` Pointer
`StackAddress` Pointer
`FrameAddress` Pointer
`ReturnAddressModuleFullPath` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 20: Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_ROP_STACKPIVOT

Description

Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`HookedAPI` UnicodeString
`ReturnAddress` Pointer
`CalledAddress` Pointer
`TargetAddress` Pointer
`StackAddress` Pointer
`FrameAddress` Pointer
`ReturnAddressModuleFullPath` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 21: Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_ROP_CALLERCHECK

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`HookedAPI` UnicodeString
`ReturnAddress` Pointer
`CalledAddress` Pointer
`TargetAddress` Pointer
`StackAddress` Pointer
`FrameAddress` Pointer
`ReturnAddressModuleFullPath` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 22: Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_ROP_CALLERCHECK

Description

Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`HookedAPI` UnicodeString
`ReturnAddress` Pointer
`CalledAddress` Pointer
`TargetAddress` Pointer
`StackAddress` Pointer
`FrameAddress` Pointer
`ReturnAddressModuleFullPath` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 23: Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_ROP_SIMEXEC

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`HookedAPI` UnicodeString
`ReturnAddress` Pointer
`CalledAddress` Pointer
`TargetAddress` Pointer
`StackAddress` Pointer
`FrameAddress` Pointer
`ReturnAddressModuleFullPath` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

Event ID 24: Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Provider: Microsoft-Windows-Security-Mitigations
Channel: UserMode
Collection Priority: Recommended (JSCU-NL)
Task: USER_MITIGATION_TASK_ROP_SIMEXEC

Description

Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

Name	Description
`Subcode` UInt32
`ProcessPath` UnicodeString
`ProcessId` UInt32
`HookedAPI` UnicodeString
`ReturnAddress` Pointer
`CalledAddress` Pointer
`TargetAddress` Pointer
`StackAddress` Pointer
`FrameAddress` Pointer
`ReturnAddressModuleFullPath` UnicodeString
`ProcessStartTime` FILETIME
`ThreadId` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager

Event ID 25: Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return address mismatch.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_CONTROL_PROTECTION_USER_MODE_RETURN_MISMATCH

Description

Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return address mismatch. The process will be allowed to continue execution.

Message #

Process '%2' (PID %5) has encountered a shadow stack return address mismatch. The process will be allowed to continue execution.

Return instruction executed from module '%12'.
Attempting to return to module '%14'.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`ControlPcImageNameLength` UInt16
`ControlPcImageName` UnicodeString
`RspContentsImageNameLength` UInt16
`RspContentsImageName` UnicodeString
`StrictMode` Boolean
`UserCetAppcompatOptions` UInt32
`NonenforcementReason` UInt32
`ControlPcAddress` Pointer
`ControlPcOffset` Pointer
`ControlPcCetCompat` Boolean
`RspContentsAddress` Pointer
`RspContentsOffset` Pointer
`RspContentsCetCompat` Boolean

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager

Event ID 26: Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return address mismatch.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_CONTROL_PROTECTION_USER_MODE_RETURN_MISMATCH

Description

Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return address mismatch. The process will be terminated.

Message #

Process '%2' (PID %5) has encountered a shadow stack return address mismatch. The process will be terminated.

Return instruction executed from module '%12'.
Attempting to return to module '%14'.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`ControlPcImageNameLength` UInt16
`ControlPcImageName` UnicodeString
`RspContentsImageNameLength` UInt16
`RspContentsImageName` UnicodeString
`StrictMode` Boolean
`UserCetAppcompatOptions` UInt32
`NonenforcementReason` UInt32
`ControlPcAddress` Pointer
`ControlPcOffset` Pointer
`ControlPcCetCompat` Boolean
`RspContentsAddress` Pointer
`RspContentsOffset` Pointer
`RspContentsCetCompat` Boolean

Event ID 27: Process 'ProcessPath' (PID ProcessId) would have been blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is ena...

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_USER_CET_SET_CONTEXT_IP_VALIDATION_FAILURE

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Message #

Process '%2' (PID %5) would have been blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`TargetIpImageNameLength` UInt16
`TargetIpImageName` UnicodeString
`StrictMode` Boolean
`ContinueType` UInt32

Event ID 28: Process 'ProcessPath' (PID ProcessId) was blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_USER_CET_SET_CONTEXT_IP_VALIDATION_FAILURE

Description

Process 'ProcessPath' (PID ProcessId) was blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Message #

Process '%2' (PID %5) was blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`TargetIpImageNameLength` UInt16
`TargetIpImageName` UnicodeString
`StrictMode` Boolean
`ContinueType` UInt32

Event ID 29: Process 'ProcessPath' (PID ProcessId) would have been blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing...

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_BLOCK_NON_CET_BINARIES

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.

Message #

Process '%2' (PID %5) would have been blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.
Process requires binaries to also contain exception handling continuation data: %15

Binary path: %12
Binary compatible with shadow stacks: %13
Binary contains exception handling continuation data: %14

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`MappedImageNameLength` UInt16
`MappedImageName` UnicodeString
`ImageCetShadowStacksReady` Boolean
`ImageEHContinuationTablePresent` Boolean
`NonEhcontMode` Boolean

Event ID 30: Process 'ProcessPath' (PID ProcessId) was blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception h...

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_BLOCK_NON_CET_BINARIES

Description

Process 'ProcessPath' (PID ProcessId) was blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.

Message #

Process '%2' (PID %5) was blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.
Process requires binaries to also contain exception handling continuation data: %15

Binary path: %12
Binary compatible with shadow stacks: %13
Binary contains exception handling continuation data: %14

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`MappedImageNameLength` UInt16
`MappedImageName` UnicodeString
`ImageCetShadowStacksReady` Boolean
`ImageEHContinuationTablePresent` Boolean
`NonEhcontMode` Boolean

Event ID 31: Process 'Arguments' (PID Impersonating) would have been blocked from following an untrusted redirection.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_REDIRECTION_TRUST_POLICY

Description

Process 'Arguments' (PID Impersonating) would have been blocked from following an untrusted redirection.

Message #

Process '%2' (PID %5) would have been blocked from following an untrusted redirection: 

Binary path: %2
Arguments: %4
Redirection Type: %11
Operation Path: %13
Impersonating: %14

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`RedirectionType` UInt32
`OperationPathLength` UInt16
`OperationPath` UnicodeString
`Impersonating` Boolean
`Module1` UnicodeString
`Module1Offset` UInt64
`Module2` UnicodeString
`Module2Offset` UInt64
`Module3` UnicodeString
`Module3Offset` UInt64
`Module4` UnicodeString
`Module4Offset` UInt64
`Module5` UnicodeString
`Module5Offset` UInt64
`Module6` UnicodeString
`Module6Offset` UInt64
`Module7` UnicodeString
`Module7Offset` UInt64
`Module8` UnicodeString
`Module8Offset` UInt64
`Module9` UnicodeString
`Module9Offset` UInt64
`Module10` UnicodeString
`Module10Offset` UInt64
`Module11` UnicodeString
`Module11Offset` UInt64
`Module12` UnicodeString
`Module12Offset` UInt64
`Module13` UnicodeString
`Module13Offset` UInt64
`Module14` UnicodeString
`Module14Offset` UInt64
`Module15` UnicodeString
`Module15Offset` UInt64
`Module16` UnicodeString
`Module16Offset` UInt64

Event ID 32: Process 'Arguments' (PID Impersonating) was blocked from following an untrusted redirection.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_REDIRECTION_TRUST_POLICY

Description

Process 'Arguments' (PID Impersonating) was blocked from following an untrusted redirection.

Message #

Process '%2' (PID %5) was blocked from following an untrusted redirection: 

Binary path: %2
Arguments: %4
Redirection Type: %11
Operation Path: %13
Impersonating: %14

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`ProcessId` UInt32
`ProcessCreateTime` FILETIME
`ProcessStartKey` UInt64
`ProcessSignatureLevel` UInt8
`ProcessSectionSignatureLevel` UInt8
`ProcessProtection` UInt8
`RedirectionType` UInt32
`OperationPathLength` UInt16
`OperationPath` UnicodeString
`Impersonating` Boolean
`Module1` UnicodeString
`Module1Offset` UInt64
`Module2` UnicodeString
`Module2Offset` UInt64
`Module3` UnicodeString
`Module3Offset` UInt64
`Module4` UnicodeString
`Module4Offset` UInt64
`Module5` UnicodeString
`Module5Offset` UInt64
`Module6` UnicodeString
`Module6Offset` UInt64
`Module7` UnicodeString
`Module7Offset` UInt64
`Module8` UnicodeString
`Module8Offset` UInt64
`Module9` UnicodeString
`Module9Offset` UInt64
`Module10` UnicodeString
`Module10Offset` UInt64
`Module11` UnicodeString
`Module11Offset` UInt64
`Module12` UnicodeString
`Module12Offset` UInt64
`Module13` UnicodeString
`Module13Offset` UInt64
`Module14` UnicodeString
`Module14Offset` UInt64
`Module15` UnicodeString
`Module15Offset` UInt64
`Module16` UnicodeString
`Module16Offset` UInt64

Event ID 33: The system has encountered a kernel-mode shadow stack return address mismatch.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_CONTROL_PROTECTION_KERNEL_MODE_RETURN_MISMATCH

Description

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be allowed to continue execution because: NonenforcementReason.

Message #

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be allowed to continue execution because: %5.

Return instruction executed from module '%2'.
(Instruction address: %6, module offset: %7)

Attempting to return to module '%4'.
(Instruction address: %9, module offset: %10)

Fields #

Name	Description
`ControlPcImageNameLength` UInt16
`ControlPcImageName` UnicodeString
`RspContentsImageNameLength` UInt16
`RspContentsImageName` UnicodeString
`NonenforcementReason` UInt32
`ControlPcAddress` Pointer
`ControlPcOffset` Pointer
`ControlPcCetCompat` Boolean
`RspContentsAddress` Pointer
`RspContentsOffset` Pointer
`RspContentsCetCompat` Boolean
`ShadowStackOverflowReset` Boolean
`ErrorCode` UInt32

Event ID 34: The system has encountered a kernel-mode shadow stack return address mismatch.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_CONTROL_PROTECTION_KERNEL_MODE_RETURN_MISMATCH

Description

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be terminated.

Message #

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be terminated.

Return instruction executed from module '%2'.
(Instruction address: %6, module offset: %7)

Attempting to return to module '%4'.
(Instruction address: %9, module offset: %10)

Fields #

Name	Description
`ControlPcImageNameLength` UInt16
`ControlPcImageName` UnicodeString
`RspContentsImageNameLength` UInt16
`RspContentsImageName` UnicodeString
`NonenforcementReason` UInt32
`ControlPcAddress` Pointer
`ControlPcOffset` Pointer
`ControlPcCetCompat` Boolean
`RspContentsAddress` Pointer
`RspContentsOffset` Pointer
`RspContentsCetCompat` Boolean
`ShadowStackOverflowReset` Boolean
`ErrorCode` UInt32

Event ID 35: Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making the NtFsControlFile system call.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_PROHIBIT_FSCTL_SYSTEM_CALLS

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making the NtFsControlFile system call.

Message #

Process '%2' (PID %5) would have been blocked from making the NtFsControlFile system call.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Event ID 36: Process 'ProcessPath' (PID CallingProcessId) was blocked from making the NtFsControlFile system call.

Provider: Microsoft-Windows-Security-Mitigations
Channel: KernelMode
Task: KERNEL_MITIGATION_TASK_PROHIBIT_FSCTL_SYSTEM_CALLS

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from making the NtFsControlFile system call.

Message #

Process '%2' (PID %5) was blocked from making the NtFsControlFile system call.

Fields #

Name	Description
`ProcessPathLength` UInt16
`ProcessPath` UnicodeString
`ProcessCommandLineLength` UInt16
`ProcessCommandLine` UnicodeString
`CallingProcessId` UInt32	Process ID of the process initiating the operation.
`CallingProcessCreateTime` FILETIME	Creation timestamp of the calling process (FILETIME). Combined with CallingProcessId, uniquely identifies the process instance.
`CallingProcessStartKey` UInt64	Kernel-assigned unique key for the calling process. Survives PID reuse.
`CallingProcessSignatureLevel` UInt8	Code integrity signing level of the calling process executable. Known values `0x00` Unchecked `0x04` Authenticode `0x08` Microsoft `0x0C` Windows `0x0E` WindowsTCB
`CallingProcessSectionSignatureLevel` UInt8	Minimum signing level required for DLLs loaded into the calling process.
`CallingProcessProtection` UInt8	PS_PROTECTION byte of the calling process. Bitmask flags `type (bits 0-2)=0` None `type (bits 0-2)=1` PPL `type (bits 0-2)=2` PP `signer (bits 4-7)=0` None `signer (bits 4-7)=3` Antimalware `signer (bits 4-7)=4` Lsa `signer (bits 4-7)=5` Windows `signer (bits 4-7)=6` WinTcb
`CallingThreadId` UInt32	Thread ID within the calling process that initiated the operation.
`CallingThreadCreateTime` FILETIME	Creation timestamp of the calling thread.

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID fae10392-f0af-4ac0-b8ff-9f4d920c3cdf

Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)