T1553.006 Microsoft Sentinel · KQL

Detect Code Signing Policy Modification in Microsoft Sentinel

Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. On Windows, this includes enabling TESTSIGNING boot mode via bcdedit.exe, disabling Driver Signature Enforcement (DSE) by modifying the g_CiOptions kernel variable (typically via a BYOVD exploit), or changing registry keys that control signed DLL enforcement such as RequireSignedAppInit_DLLs. On macOS, adversaries disable System Integrity Protection (SIP) using csrutil disable from Recovery Mode. Threat actors including APT39, BlackEnergy, Hikit, Pandora, and Turla have used these techniques to load unsigned rootkit drivers and persist with kernel-level access.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.006 Code Signing Policy Modification
Canonical reference
https://attack.mitre.org/techniques/T1553/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1553.006 — Code Signing Policy Modification
// Detects bcdedit enabling test signing or disabling integrity checks, and registry
// modifications to code signing enforcement keys (RequireSignedAppInit_DLLs, HVCI, VBS).
let SuspiciousBcdeditArgs = dynamic(["testsigning", "nointegritychecks", "bootdebug", "loadoptions safeboot", "recoveryenabled"]);
let CIRegistryPaths = dynamic([
    "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
    "\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard",
    "\\SYSTEM\\CurrentControlSet\\Control\\CI",
    "\\SYSTEM\\CurrentControlSet\\Control\\CodeIntegrity"
]);
let CIRegistryValues = dynamic([
    "RequireSignedAppInit_DLLs",
    "LoadAppInit_DLLs",
    "EnableVirtualizationBasedSecurity",
    "HypervisorEnforcedCodeIntegrity",
    "RequirePlatformSecurityFeatures"
]);
// Branch 1: bcdedit modifying boot-time signing enforcement
let BcdeditEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bcdedit.exe"
| where ProcessCommandLine has_any (SuspiciousBcdeditArgs)
| extend DetectionType = "BCD_Policy_Modification"
| extend SigningContext = case(
    ProcessCommandLine has "testsigning" and ProcessCommandLine has "on",
        "CRITICAL: TESTSIGNING enabled — unsigned kernel drivers can now load",
    ProcessCommandLine has "nointegritychecks" and ProcessCommandLine has "on",
        "CRITICAL: nointegritychecks enabled — DSE fully bypassed",
    ProcessCommandLine has "bootdebug" and ProcessCommandLine has "on",
        "HIGH: Boot debug mode enabled",
    ProcessCommandLine has "testsigning" and ProcessCommandLine has "off",
        "INFO: TESTSIGNING disabled (possible cleanup after malicious activity)",
    "MEDIUM: Suspicious BCD policy modification"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionType, SigningContext;
// Branch 2: Registry changes disabling code integrity enforcement
let RegistryEvents = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (CIRegistryPaths)
| where RegistryValueName has_any (CIRegistryValues)
| where (RegistryValueName in~ ("RequireSignedAppInit_DLLs", "EnableVirtualizationBasedSecurity",
         "HypervisorEnforcedCodeIntegrity", "RequirePlatformSecurityFeatures")
         and RegistryValueData in ("0", "0x00000000", "00000000"))
     or (RegistryValueName =~ "LoadAppInit_DLLs" and RegistryValueData in ("1", "0x00000001", "00000001"))
| extend DetectionType = "Registry_CISigning_Modification"
| extend SigningContext = strcat(
    "Registry code signing enforcement changed: ",
    RegistryValueName, " = ", RegistryValueData,
    " in key: ", RegistryKey
  )
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName = InitiatingProcessFileName,
         ProcessCommandLine = InitiatingProcessCommandLine,
         InitiatingProcessFileName,
         InitiatingProcessCommandLine,
         DetectionType, SigningContext;
union BcdeditEvents, RegistryEvents
| sort by Timestamp desc
critical severity high confidence

Detects Windows code signing policy modification via two vectors: (1) bcdedit.exe invocations that enable TESTSIGNING boot mode or disable integrity checks, which allows unsigned kernel drivers to load; (2) registry value changes to keys governing Driver Signature Enforcement, Hypervisor-Protected Code Integrity (HVCI), and signed AppInit DLL requirements. Covers techniques used by APT39 (RequireSigned bypass), BlackEnergy (TESTSIGNING), and Turla/Pandora (DSE kernel memory manipulation via BYOVD). The registry branch fires on DWORD-zero writes to enforcement keys, which is the operational signature of disabling these controls.

Data Sources

Process: Process CreationWindows Registry: Windows Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • Kernel developers and driver developers legitimately enabling TESTSIGNING on dedicated test machines to load unsigned development drivers during the development and testing lifecycle
  • IT administrators temporarily disabling RequireSignedAppInit_DLLs to diagnose application compatibility issues with legacy software
  • Security researchers or malware analysts enabling test signing on sandboxed VMs to study unsigned samples in a controlled environment
  • Hardware OEM imaging processes that configure test signing during factory provisioning or QA testing before shipping
  • Enterprise software products (some legacy DLP, endpoint agents) that set LoadAppInit_DLLs as part of their legitimate injection mechanism
Download portable Sigma rule (.yml)

Other platforms for T1553.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable TESTSIGNING Boot Mode via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\bcdedit.exe, CommandLine='bcdedit /set testsigning on'. Security Event ID 4688 (with process command line auditing enabled) with same details. Note: no additional event is generated when TESTSIGNING takes effect at next reboot — the bcdedit process event is the only log entry.

  2. Test 2Disable Driver Signature Enforcement via nointegritychecks

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe and CommandLine containing 'nointegritychecks on'. Security Event ID 4688 if process command line auditing is enabled. Microsoft-Windows-Kernel-Boot/Operational Event ID 16 will show the changed boot configuration at next boot cycle.

  3. Test 3Disable RequireSignedAppInit_DLLs via Registry

    Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject='HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\RequireSignedAppInit_DLLs', Details='DWORD (0x00000000)'. Sysmon Event ID 1: Process Create for reg.exe with full command line. Security Event ID 4657 if object access auditing is configured for registry keys.

  4. Test 4Disable Hypervisor-Protected Code Integrity (HVCI) via Registry

    Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'DeviceGuard\HypervisorEnforcedCodeIntegrity', Details='DWORD (0x00000000)'. Sysmon Event ID 1 for reg.exe process. Security Event ID 4657 (if object access auditing enabled). At next reboot: Windows Event Log Microsoft-Windows-DeviceGuard/Operational will show HVCI enforcement status change.

  5. Test 5macOS System Integrity Protection Status Check and Disable Simulation

    Expected signal: macOS Unified Log (ULS): process execution of csrutil with 'disable' argument. EDR telemetry (if macOS endpoint agent deployed): process creation event for /usr/bin/csrutil with arguments 'disable'. The command will fail with 'csrutil: failed to modify system integrity configuration. This tool needs to be executed from Recovery OS.' which itself is a detectable signal.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1553.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper BypassT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1553.004Install Root CertificateT1553.005Mark-of-the-Web Bypass

Related Techniques

T1553Subvert Trust ControlsT1068Exploitation for Privilege EscalationT1014RootkitT1112Modify RegistryT1574.002DLL Side-LoadingT1082System Information DiscoveryT1562.001Disable or Modify ToolsT1542.003BootkitT1070.001Clear Windows Event Logs

Same Tactic: Defense Evasion

Popular Detections