T1553.006

Code Signing Policy Modification

Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. On Windows, this includes enabling TESTSIGNING boot mode via bcdedit.exe, disabling Driver Signature Enforcement (DSE) by modifying the g_CiOptions kernel variable (typically via a BYOVD exploit), or changing registry keys that control signed DLL enforcement such as RequireSignedAppInit_DLLs. On macOS, adversaries disable System Integrity Protection (SIP) using csrutil disable from Recovery Mode. Threat actors including APT39, BlackEnergy, Hikit, Pandora, and Turla have used these techniques to load unsigned rootkit drivers and persist with kernel-level access.

Microsoft Sentinel / Defender

kusto

// T1553.006 — Code Signing Policy Modification
// Detects bcdedit enabling test signing or disabling integrity checks, and registry
// modifications to code signing enforcement keys (RequireSignedAppInit_DLLs, HVCI, VBS).
let SuspiciousBcdeditArgs = dynamic(["testsigning", "nointegritychecks", "bootdebug", "loadoptions safeboot", "recoveryenabled"]);
let CIRegistryPaths = dynamic([
    "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
    "\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard",
    "\\SYSTEM\\CurrentControlSet\\Control\\CI",
    "\\SYSTEM\\CurrentControlSet\\Control\\CodeIntegrity"
]);
let CIRegistryValues = dynamic([
    "RequireSignedAppInit_DLLs",
    "LoadAppInit_DLLs",
    "EnableVirtualizationBasedSecurity",
    "HypervisorEnforcedCodeIntegrity",
    "RequirePlatformSecurityFeatures"
]);
// Branch 1: bcdedit modifying boot-time signing enforcement
let BcdeditEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bcdedit.exe"
| where ProcessCommandLine has_any (SuspiciousBcdeditArgs)
| extend DetectionType = "BCD_Policy_Modification"
| extend SigningContext = case(
    ProcessCommandLine has "testsigning" and ProcessCommandLine has "on",
        "CRITICAL: TESTSIGNING enabled — unsigned kernel drivers can now load",
    ProcessCommandLine has "nointegritychecks" and ProcessCommandLine has "on",
        "CRITICAL: nointegritychecks enabled — DSE fully bypassed",
    ProcessCommandLine has "bootdebug" and ProcessCommandLine has "on",
        "HIGH: Boot debug mode enabled",
    ProcessCommandLine has "testsigning" and ProcessCommandLine has "off",
        "INFO: TESTSIGNING disabled (possible cleanup after malicious activity)",
    "MEDIUM: Suspicious BCD policy modification"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionType, SigningContext;
// Branch 2: Registry changes disabling code integrity enforcement
let RegistryEvents = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (CIRegistryPaths)
| where RegistryValueName has_any (CIRegistryValues)
| where (RegistryValueName in~ ("RequireSignedAppInit_DLLs", "EnableVirtualizationBasedSecurity",
         "HypervisorEnforcedCodeIntegrity", "RequirePlatformSecurityFeatures")
         and RegistryValueData in ("0", "0x00000000", "00000000"))
     or (RegistryValueName =~ "LoadAppInit_DLLs" and RegistryValueData in ("1", "0x00000001", "00000001"))
| extend DetectionType = "Registry_CISigning_Modification"
| extend SigningContext = strcat(
    "Registry code signing enforcement changed: ",
    RegistryValueName, " = ", RegistryValueData,
    " in key: ", RegistryKey
  )
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName = InitiatingProcessFileName,
         ProcessCommandLine = InitiatingProcessCommandLine,
         InitiatingProcessFileName,
         InitiatingProcessCommandLine,
         DetectionType, SigningContext;
union BcdeditEvents, RegistryEvents
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Kernel developers and driver developers legitimately enabling TESTSIGNING on dedicated test machines to load unsigned development drivers during the development and testing lifecycle
IT administrators temporarily disabling RequireSignedAppInit_DLLs to diagnose application compatibility issues with legacy software
Security researchers or malware analysts enabling test signing on sandboxed VMs to study unsigned samples in a controlled environment
Hardware OEM imaging processes that configure test signing during factory provisioning or QA testing before shipping
Enterprise software products (some legacy DLP, endpoint agents) that set LoadAppInit_DLLs as part of their legitimate injection mechanism

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| where (EventCode=1 AND match(lower(Image), "bcdedit\.exe") AND match(lower(CommandLine), "(testsigning|nointegritychecks|bootdebug)"))
   OR (EventCode=13 AND (
         match(TargetObject, "(?i)Windows\\RequireSignedAppInit_DLLs") OR
         match(TargetObject, "(?i)Windows\\LoadAppInit_DLLs") OR
         match(TargetObject, "(?i)DeviceGuard\\EnableVirtualizationBasedSecurity") OR
         match(TargetObject, "(?i)DeviceGuard\\HypervisorEnforcedCodeIntegrity") OR
         match(TargetObject, "(?i)DeviceGuard\\RequirePlatformSecurityFeatures") OR
         match(TargetObject, "(?i)Control\\CI\\")
       ))
   OR (EventCode=4657 AND (
         match(ObjectName, "(?i)RequireSignedAppInit") OR
         match(ObjectName, "(?i)DeviceGuard") OR
         match(ObjectName, "(?i)\\Control\\CI")
       ))
| eval detection_type=case(
    EventCode=1, "BCD_Policy_Modification_bcdedit",
    EventCode=13, "Sysmon_Registry_CISigning_Modification",
    EventCode=4657, "Security_Audit_Registry_CISigning",
    true(), "Unknown"
  )
| eval testsigning_enabled=if(
    EventCode=1 AND match(lower(CommandLine), "testsigning") AND match(lower(CommandLine), "\bset\b") AND match(lower(CommandLine), "\bon\b"),
    1, 0
  )
| eval integrity_checks_disabled=if(
    EventCode=1 AND match(lower(CommandLine), "nointegritychecks") AND match(lower(CommandLine), "\bon\b"),
    1, 0
  )
| eval hvci_disabled=if(
    EventCode=13 AND match(TargetObject, "(?i)HypervisorEnforcedCodeIntegrity") AND match(Details, "(?i)DWORD \(0x0+\)"),
    1, 0
  )
| eval requiresigned_disabled=if(
    EventCode=13 AND match(TargetObject, "(?i)RequireSignedAppInit_DLLs") AND match(Details, "(?i)DWORD \(0x0+\)"),
    1, 0
  )
| eval severity=case(
    integrity_checks_disabled=1, "critical",
    testsigning_enabled=1, "high",
    hvci_disabled=1, "critical",
    requiresigned_disabled=1, "high",
    true(), "medium"
  )
| table _time, host, User, Image, CommandLine, TargetObject, Details, ParentImage, ParentCommandLine,
        detection_type, testsigning_enabled, integrity_checks_disabled, hvci_disabled, requiresigned_disabled, severity
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 (Process Create) Sysmon Event ID 13 (Registry Value Set) Windows Security Event ID 4657 (Registry Value Modified)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Kernel developers enabling TESTSIGNING on dedicated driver development workstations
IT administrators disabling RequireSignedAppInit_DLLs for legacy application compatibility troubleshooting
Security researchers enabling test signing in isolated sandbox VMs for malware analysis
OEM imaging or factory provisioning workflows that temporarily configure test signing modes
Enterprise endpoint agents that legitimately set LoadAppInit_DLLs for their injection mechanism

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "hostname",
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Target Object" AS registry_target,
  "Details" AS registry_value,
  CASE
    WHEN LOWER("Command") LIKE '%nointegritychecks%' AND LOWER("Command") LIKE '%on%' THEN 'critical'
    WHEN LOWER("Command") LIKE '%testsigning%' AND LOWER("Command") LIKE '%on%' THEN 'high'
    WHEN LOWER("Target Object") LIKE '%HypervisorEnforcedCodeIntegrity%' THEN 'critical'
    WHEN LOWER("Target Object") LIKE '%RequireSignedAppInit_DLLs%' THEN 'high'
    WHEN LOWER("Target Object") LIKE '%EnableVirtualizationBasedSecurity%' THEN 'high'
    ELSE 'medium'
  END AS severity,
  CASE
    WHEN "Process Name" LIKE '%bcdedit%' THEN 'BCD_Policy_Modification'
    WHEN "Target Object" LIKE '%DeviceGuard%' OR "Target Object" LIKE '%CI%' THEN 'Registry_CI_Modification'
    ELSE 'Code_Signing_Policy_Change'
  END AS detection_type
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND (
    (
      LOGSOURCETYPEID = 119  -- Microsoft Windows Security Event Log
      AND qid IN (
        SELECT qid FROM qidmap WHERE eventid IN (4688, 4657)
      )
      AND (
        ("Process Name" ILIKE '%bcdedit%'
          AND (LOWER("Command") LIKE '%testsigning%'
               OR LOWER("Command") LIKE '%nointegritychecks%'
               OR LOWER("Command") LIKE '%bootdebug%'))
        OR
        ("Object Name" ILIKE '%RequireSignedAppInit%'
          OR "Object Name" ILIKE '%DeviceGuard%'
          OR "Object Name" ILIKE '%\\Control\\CI%'
          OR "Object Name" ILIKE '%CodeIntegrity%')
      )
    )
    OR
    (
      LOGSOURCETYPEID = 215  -- Sysmon
      AND (
        (qid IN (SELECT qid FROM qidmap WHERE eventid = 1)
          AND LOWER("Image") LIKE '%bcdedit%'
          AND (LOWER("CommandLine") LIKE '%testsigning%'
               OR LOWER("CommandLine") LIKE '%nointegritychecks%'
               OR LOWER("CommandLine") LIKE '%bootdebug%'))
        OR
        (qid IN (SELECT qid FROM qidmap WHERE eventid = 13)
          AND (
            "TargetObject" ILIKE '%RequireSignedAppInit_DLLs%'
            OR "TargetObject" ILIKE '%LoadAppInit_DLLs%'
            OR "TargetObject" ILIKE '%HypervisorEnforcedCodeIntegrity%'
            OR "TargetObject" ILIKE '%EnableVirtualizationBasedSecurity%'
            OR "TargetObject" ILIKE '%RequirePlatformSecurityFeatures%'
            OR "TargetObject" ILIKE '%\\Control\\CI\\%'
            OR "TargetObject" ILIKE '%\\Control\\CodeIntegrity%'
          )
        )
      )
    )
  )
ORDER BY starttime DESC

critical severity medium confidence

Data Sources

Microsoft Windows Security Event Log (DSM) Microsoft Sysmon (DSM) IBM QRadar SIEM

Required Tables

events

False Positives

IT operations teams running bcdedit as part of Windows OS upgrade or repair procedures such as rebuilding BCD stores after corruption
Software developers on approved developer workstations enabling TESTSIGNING to load in-development kernel drivers that have not yet been submitted for WHQL signing
Vulnerability management or penetration testing teams running authorized BYOVD simulation tests on isolated lab hosts as part of red team exercises

Sumo Logic CSE

sql

_sourceCategory=windows/*
| where _sourceName matches "*WinEventLog*" or _sourceName matches "*Sysmon*"
| parse "EventCode=*]" as EventCode nodrop
| parse "EventID=*]" as EventCode nodrop
| where EventCode in ("1", "13", "4688", "4657")
| parse field=_raw "<Data Name='Image'>*</Data>" as image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='TargetObject'>*</Data>" as target_object nodrop
| parse field=_raw "<Data Name='Details'>*</Data>" as reg_details nodrop
| parse field=_raw "<Data Name='NewProcessName'>*</Data>" as image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='ObjectName'>*</Data>" as target_object nodrop
| parse field=_raw "<Data Name='NewValue'>*</Data>" as reg_details nodrop
| parse field=_raw "Computer=\"*\"" as hostname nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as username nodrop
| parse field=_raw "<Data Name='SubjectUserName'>*</Data>" as username nodrop
| where (
    (EventCode in ("1", "4688")
     and matches(toLowerCase(image), ".*bcdedit\.exe.*")
     and (
       matches(toLowerCase(command_line), ".*testsigning.*")
       or matches(toLowerCase(command_line), ".*nointegritychecks.*")
       or matches(toLowerCase(command_line), ".*bootdebug.*")
       or matches(toLowerCase(command_line), ".*safeboot.*")
     )
    )
    or
    (EventCode in ("13", "4657")
     and (
       matches(target_object, "(?i).*RequireSignedAppInit_DLLs.*")
       or matches(target_object, "(?i).*LoadAppInit_DLLs.*")
       or matches(target_object, "(?i).*HypervisorEnforcedCodeIntegrity.*")
       or matches(target_object, "(?i).*EnableVirtualizationBasedSecurity.*")
       or matches(target_object, "(?i).*RequirePlatformSecurityFeatures.*")
       or matches(target_object, "(?i).*\\Control\\CI\\.*")
       or matches(target_object, "(?i).*\\Control\\CodeIntegrity.*")
     )
    )
  )
| eval detection_type = if(EventCode in ("1","4688"), "BCD_Policy_Modification",
    if(EventCode in ("13","4657"), "Registry_CISigning_Modification", "Unknown"))
| eval severity = if(
    matches(toLowerCase(command_line), ".*nointegritychecks.*on.*"), "critical",
    if(matches(toLowerCase(command_line), ".*testsigning.*on.*"), "high",
    if(matches(target_object, "(?i).*HypervisorEnforcedCodeIntegrity.*"), "critical",
    if(matches(target_object, "(?i).*RequireSignedAppInit.*"), "high", "medium"))))
| eval testsigning_enabled = if(matches(toLowerCase(command_line), ".*testsigning.*") and matches(toLowerCase(command_line), ".*\\bon\\b.*"), "true", "false")
| eval hvci_modified = if(matches(target_object, "(?i).*HypervisorEnforcedCodeIntegrity.*"), "true", "false")
| fields _messagetime, hostname, username, image, command_line, target_object, reg_details, detection_type, severity, testsigning_enabled, hvci_modified
| sort by _messagetime desc

critical severity high confidence

Data Sources

Windows Event Log collector (Security, System) Sysmon via Sumo Logic Windows collector Sumo Logic Cloud SIEM Enterprise

Required Tables

_sourceCategory=windows/*

False Positives

Enterprise driver development labs where TESTSIGNING is a routine part of the internal kernel driver build-test-sign cycle, generating high volumes of bcdedit events on known developer machines
Helpdesk or IT admin accounts running bcdedit to recover systems stuck in boot loops or to disable Secure Boot for OS reinstallation on endpoint hardware
Endpoint security product deployments (e.g., CrowdStrike, Carbon Black) that write to DeviceGuard or CI registry paths during installation or sensor update workflows

Google Chronicle / SecOps

yaral

rule t1553_006_code_signing_policy_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1553.006 Code Signing Policy Modification — bcdedit enabling test signing or disabling integrity checks, and registry modifications disabling HVCI, RequireSignedAppInit_DLLs, EnableVirtualizationBasedSecurity, or CI control keys. Used by APT39, BlackEnergy, Turla, and Pandora for BYOVD rootkit staging."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1553.006"
    severity = "CRITICAL"
    priority = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    (
      // Branch 1: bcdedit test signing or integrity check bypass
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)\\bcdedit\.exe$`)
      and (
        re.regex($e1.target.process.command_line, `(?i)testsigning`) or
        re.regex($e1.target.process.command_line, `(?i)nointegritychecks`) or
        re.regex($e1.target.process.command_line, `(?i)bootdebug`) or
        re.regex($e1.target.process.command_line, `(?i)loadoptions.*safeboot`)
      )
    )
    or
    (
      // Branch 2: Registry modifications disabling code integrity controls
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e1.target.registry.registry_key, `(?i)\\Windows\\RequireSignedAppInit_DLLs`) or
        re.regex($e1.target.registry.registry_key, `(?i)\\Windows\\LoadAppInit_DLLs`) or
        re.regex($e1.target.registry.registry_key, `(?i)DeviceGuard\\EnableVirtualizationBasedSecurity`) or
        re.regex($e1.target.registry.registry_key, `(?i)DeviceGuard\\HypervisorEnforcedCodeIntegrity`) or
        re.regex($e1.target.registry.registry_key, `(?i)DeviceGuard\\RequirePlatformSecurityFeatures`) or
        re.regex($e1.target.registry.registry_key, `(?i)\\Control\\CI\\`) or
        re.regex($e1.target.registry.registry_key, `(?i)\\Control\\CodeIntegrity`)
      )
      and (
        $e1.target.registry.registry_value_data = "0" or
        re.regex($e1.target.registry.registry_value_data, `(?i)0x0+$`)
      )
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle UDM Windows Event Log forwarding to Chronicle Sysmon telemetry ingested via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH, REGISTRY_MODIFICATION)

False Positives

Legitimate kernel driver developers on approved engineering workstations enabling TESTSIGNING as part of a signed, supervised internal development workflow
IT automation scripts (Ansible, Puppet, Chef) managing DeviceGuard registry baseline configuration as part of gold image build pipelines — may write zero values before re-enabling via policy
Microsoft Defender Credential Guard setup and teardown procedures that temporarily modify EnableVirtualizationBasedSecurity or HypervisorEnforcedCodeIntegrity registry values

CrowdStrike LogScale (CQL)

cql

// T1553.006 — Code Signing Policy Modification
// Branch 1: bcdedit enabling test signing or disabling integrity checks
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)\\bcdedit\.exe$/
| CommandLine = /(?i)(testsigning|nointegritychecks|bootdebug|loadoptions\s+safeboot)/
| severity := case(
    CommandLine = /(?i)nointegritychecks.{0,30}\bon\b/ => "critical",
    CommandLine = /(?i)testsigning.{0,30}\bon\b/ => "high",
    CommandLine = /(?i)bootdebug.{0,30}\bon\b/ => "high",
    * => "medium"
  )
| detection_type := "BCD_Policy_Modification"
| signing_context := case(
    CommandLine = /(?i)testsigning.{0,30}\bon\b/ => "TESTSIGNING enabled: unsigned kernel drivers can load",
    CommandLine = /(?i)nointegritychecks.{0,30}\bon\b/ => "nointegritychecks enabled: DSE fully bypassed",
    CommandLine = /(?i)bootdebug.{0,30}\bon\b/ => "Boot debug mode enabled",
    * => "Suspicious BCD policy argument detected"
  )
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, detection_type, signing_context, severity])

// Branch 2: Registry modifications disabling code integrity controls (requires RegValueSet events)
// Run separately or union:
// #event_simpleName = "RegValueSet"
// | RegObjectName = /(?i)(RequireSignedAppInit_DLLs|LoadAppInit_DLLs|HypervisorEnforcedCodeIntegrity|EnableVirtualizationBasedSecurity|RequirePlatformSecurityFeatures|\\Control\\CI\\|\\Control\\CodeIntegrity)/
// | RegValueData in ("0", "0x00000000", "00000000")
// | detection_type := "Registry_CISigning_Modification"
// | severity := case(
//     RegObjectName = /(?i)HypervisorEnforcedCodeIntegrity/ => "critical",
//     RegObjectName = /(?i)RequireSignedAppInit_DLLs/ => "high",
//     RegObjectName = /(?i)EnableVirtualizationBasedSecurity/ => "high",
//     * => "medium"
//   )
// | table([_time, ComputerName, UserName, RegObjectName, RegValueData, detection_type, severity])

// Combined query using groupBy for alert aggregation
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)\\bcdedit\.exe$/
| CommandLine = /(?i)(testsigning|nointegritychecks|bootdebug)/
| groupBy([ComputerName, UserName, CommandLine], function=[count(as=event_count), min(_time, as=first_seen), max(_time, as=last_seen), collect([ImageFileName, ParentImageFileName, ParentCommandLine])])
| sort(last_seen, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 telemetry Falcon RegValueSet telemetry (requires registry monitoring enabled) CrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2 RegValueSet

False Positives

Windows kernel driver developers on exception-listed developer machines who regularly invoke bcdedit with TESTSIGNING as part of approved local driver test workflows — these hosts should be tagged with a suppression label in Falcon
System recovery scenarios where IT support staff run bcdedit to repair a corrupted BCD store or re-enable boot entries on systems that failed to start after a Windows Update
Automated build pipeline agents (e.g., Azure DevOps build agents, Jenkins nodes) that run hardware-in-the-loop driver certification tests requiring temporary TESTSIGNING mode on isolated VMs

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1553.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper Bypass T1553.002Code Signing T1553.003SIP and Trust Provider Hijacking T1553.004Install Root Certificate T1553.005Mark-of-the-Web Bypass

Code Signing Policy Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections