Detect Code Signing Policy Modification in IBM QRadar
Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. On Windows, this includes enabling TESTSIGNING boot mode via bcdedit.exe, disabling Driver Signature Enforcement (DSE) by modifying the g_CiOptions kernel variable (typically via a BYOVD exploit), or changing registry keys that control signed DLL enforcement such as RequireSignedAppInit_DLLs. On macOS, adversaries disable System Integrity Protection (SIP) using csrutil disable from Recovery Mode. Threat actors including APT39, BlackEnergy, Hikit, Pandora, and Turla have used these techniques to load unsigned rootkit drivers and persist with kernel-level access.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.006 Code Signing Policy Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1553/006/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"hostname",
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS category_name,
"Process Name" AS process_name,
"Command" AS command_line,
"Target Object" AS registry_target,
"Details" AS registry_value,
CASE
WHEN LOWER("Command") LIKE '%nointegritychecks%' AND LOWER("Command") LIKE '%on%' THEN 'critical'
WHEN LOWER("Command") LIKE '%testsigning%' AND LOWER("Command") LIKE '%on%' THEN 'high'
WHEN LOWER("Target Object") LIKE '%HypervisorEnforcedCodeIntegrity%' THEN 'critical'
WHEN LOWER("Target Object") LIKE '%RequireSignedAppInit_DLLs%' THEN 'high'
WHEN LOWER("Target Object") LIKE '%EnableVirtualizationBasedSecurity%' THEN 'high'
ELSE 'medium'
END AS severity,
CASE
WHEN "Process Name" LIKE '%bcdedit%' THEN 'BCD_Policy_Modification'
WHEN "Target Object" LIKE '%DeviceGuard%' OR "Target Object" LIKE '%CI%' THEN 'Registry_CI_Modification'
ELSE 'Code_Signing_Policy_Change'
END AS detection_type
FROM events
WHERE
starttime > NOW() - 1 DAYS
AND (
(
LOGSOURCETYPEID = 119 -- Microsoft Windows Security Event Log
AND qid IN (
SELECT qid FROM qidmap WHERE eventid IN (4688, 4657)
)
AND (
("Process Name" ILIKE '%bcdedit%'
AND (LOWER("Command") LIKE '%testsigning%'
OR LOWER("Command") LIKE '%nointegritychecks%'
OR LOWER("Command") LIKE '%bootdebug%'))
OR
("Object Name" ILIKE '%RequireSignedAppInit%'
OR "Object Name" ILIKE '%DeviceGuard%'
OR "Object Name" ILIKE '%\\Control\\CI%'
OR "Object Name" ILIKE '%CodeIntegrity%')
)
)
OR
(
LOGSOURCETYPEID = 215 -- Sysmon
AND (
(qid IN (SELECT qid FROM qidmap WHERE eventid = 1)
AND LOWER("Image") LIKE '%bcdedit%'
AND (LOWER("CommandLine") LIKE '%testsigning%'
OR LOWER("CommandLine") LIKE '%nointegritychecks%'
OR LOWER("CommandLine") LIKE '%bootdebug%'))
OR
(qid IN (SELECT qid FROM qidmap WHERE eventid = 13)
AND (
"TargetObject" ILIKE '%RequireSignedAppInit_DLLs%'
OR "TargetObject" ILIKE '%LoadAppInit_DLLs%'
OR "TargetObject" ILIKE '%HypervisorEnforcedCodeIntegrity%'
OR "TargetObject" ILIKE '%EnableVirtualizationBasedSecurity%'
OR "TargetObject" ILIKE '%RequirePlatformSecurityFeatures%'
OR "TargetObject" ILIKE '%\\Control\\CI\\%'
OR "TargetObject" ILIKE '%\\Control\\CodeIntegrity%'
)
)
)
)
)
ORDER BY starttime DESCQRadar AQL detection for T1553.006 querying both Windows Security Event Log (EventIDs 4688 process creation, 4657 registry audit) and Sysmon (EventID 1 process, EventID 13 registry set value). Identifies bcdedit.exe invocations enabling test signing or disabling integrity checks, and registry writes disabling DeviceGuard/HVCI/RequireSignedAppInit_DLLs controls. Severity is computed inline using CASE logic based on the specific policy being modified.
Data Sources
Required Tables
False Positives & Tuning
- IT operations teams running bcdedit as part of Windows OS upgrade or repair procedures such as rebuilding BCD stores after corruption
- Software developers on approved developer workstations enabling TESTSIGNING to load in-development kernel drivers that have not yet been submitted for WHQL signing
- Vulnerability management or penetration testing teams running authorized BYOVD simulation tests on isolated lab hosts as part of red team exercises
Other platforms for T1553.006
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable TESTSIGNING Boot Mode via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\bcdedit.exe, CommandLine='bcdedit /set testsigning on'. Security Event ID 4688 (with process command line auditing enabled) with same details. Note: no additional event is generated when TESTSIGNING takes effect at next reboot — the bcdedit process event is the only log entry.
- Test 2Disable Driver Signature Enforcement via nointegritychecks
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe and CommandLine containing 'nointegritychecks on'. Security Event ID 4688 if process command line auditing is enabled. Microsoft-Windows-Kernel-Boot/Operational Event ID 16 will show the changed boot configuration at next boot cycle.
- Test 3Disable RequireSignedAppInit_DLLs via Registry
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject='HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\RequireSignedAppInit_DLLs', Details='DWORD (0x00000000)'. Sysmon Event ID 1: Process Create for reg.exe with full command line. Security Event ID 4657 if object access auditing is configured for registry keys.
- Test 4Disable Hypervisor-Protected Code Integrity (HVCI) via Registry
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'DeviceGuard\HypervisorEnforcedCodeIntegrity', Details='DWORD (0x00000000)'. Sysmon Event ID 1 for reg.exe process. Security Event ID 4657 (if object access auditing enabled). At next reboot: Windows Event Log Microsoft-Windows-DeviceGuard/Operational will show HVCI enforcement status change.
- Test 5macOS System Integrity Protection Status Check and Disable Simulation
Expected signal: macOS Unified Log (ULS): process execution of csrutil with 'disable' argument. EDR telemetry (if macOS endpoint agent deployed): process creation event for /usr/bin/csrutil with arguments 'disable'. The command will fail with 'csrutil: failed to modify system integrity configuration. This tool needs to be executed from Recovery OS.' which itself is a detectable signal.
References (13)
- https://attack.mitre.org/techniques/T1553/006/
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test
- https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
- https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
- https://web.archive.org/web/20210920172620/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
- https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- https://github.com/hfiref0x/TDL
- https://www.loldrivers.io/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.006/T1553.006.md
- https://github.com/SigmaHQ/sigma/search?q=testsigning
- https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
- https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-supply-chain-attack-capabilities.html
Unlock Pro Content
Get the full detection package for T1553.006 including response playbook, investigation guide, and atomic red team tests.