ASP.NET ViewState Deserialization Passed Integrity Validation
Detects an ASP.NET Event ID 1316 message indicating that a ViewState payload passed integrity validation and reached deserialization, which may indicate exploitation with a valid machine key.
Sigma source
Raw YAMLtitle: ASP.NET ViewState Deserialization Passed Integrity Validation
id: f089ce37-14a9-477f-9198-a57eafcd79cc
status: stable
author: FRAME ZERO
date: 2026-07-15
description: Detects an ASP.NET Event ID 1316 message indicating that a ViewState payload passed integrity validation and reached deserialization, which may indicate exploitation with a valid machine key.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
logsource:
product: windows
service: application
detection:
selection:
EventID: 1316
Message|contains|all:
- 'Event code: 4009'
- 'Reason: Viewstate was invalid'
condition: selection
falsepositives:
- Application defects or deployment changes that submit invalid ViewState data signed with a valid machine key
- Load-balanced ASP.NET systems with legitimate machine-key or application-state inconsistencies
level: high
tags:
- attack.initial-access
- attack.t1190
telemetry_assumptions:
- Windows Application events from internet-facing ASP.NET servers are forwarded before local tampering.
- Full event message text, provider name, host identity, and adjacent IIS request logs are retained.
related_publication: knowledgedeliver-viewstate-zero-day-bluebeam