Detection / DETPublic file

ASP.NET ViewState Deserialization Passed Integrity Validation

Detects an ASP.NET Event ID 1316 message indicating that a ViewState payload passed integrity validation and reached deserialization, which may indicate exploitation with a valid machine key.

Sigma source

Raw YAML
title: ASP.NET ViewState Deserialization Passed Integrity Validation
id: f089ce37-14a9-477f-9198-a57eafcd79cc
status: stable
author: FRAME ZERO
date: 2026-07-15
description: Detects an ASP.NET Event ID 1316 message indicating that a ViewState payload passed integrity validation and reached deserialization, which may indicate exploitation with a valid machine key.
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
logsource:
  product: windows
  service: application
detection:
  selection:
    EventID: 1316
    Message|contains|all:
      - 'Event code: 4009'
      - 'Reason: Viewstate was invalid'
  condition: selection
falsepositives:
  - Application defects or deployment changes that submit invalid ViewState data signed with a valid machine key
  - Load-balanced ASP.NET systems with legitimate machine-key or application-state inconsistencies
level: high
tags:
  - attack.initial-access
  - attack.t1190
telemetry_assumptions:
  - Windows Application events from internet-facing ASP.NET servers are forwarded before local tampering.
  - Full event message text, provider name, host identity, and adjacent IIS request logs are retained.
related_publication: knowledgedeliver-viewstate-zero-day-bluebeam

Relationships

Related files