Detect Code Signing Policy Modification in Splunk
Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. On Windows, this includes enabling TESTSIGNING boot mode via bcdedit.exe, disabling Driver Signature Enforcement (DSE) by modifying the g_CiOptions kernel variable (typically via a BYOVD exploit), or changing registry keys that control signed DLL enforcement such as RequireSignedAppInit_DLLs. On macOS, adversaries disable System Integrity Protection (SIP) using csrutil disable from Recovery Mode. Threat actors including APT39, BlackEnergy, Hikit, Pandora, and Turla have used these techniques to load unsigned rootkit drivers and persist with kernel-level access.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.006 Code Signing Policy Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1553/006/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| where (EventCode=1 AND match(lower(Image), "bcdedit\.exe") AND match(lower(CommandLine), "(testsigning|nointegritychecks|bootdebug)"))
OR (EventCode=13 AND (
match(TargetObject, "(?i)Windows\\RequireSignedAppInit_DLLs") OR
match(TargetObject, "(?i)Windows\\LoadAppInit_DLLs") OR
match(TargetObject, "(?i)DeviceGuard\\EnableVirtualizationBasedSecurity") OR
match(TargetObject, "(?i)DeviceGuard\\HypervisorEnforcedCodeIntegrity") OR
match(TargetObject, "(?i)DeviceGuard\\RequirePlatformSecurityFeatures") OR
match(TargetObject, "(?i)Control\\CI\\")
))
OR (EventCode=4657 AND (
match(ObjectName, "(?i)RequireSignedAppInit") OR
match(ObjectName, "(?i)DeviceGuard") OR
match(ObjectName, "(?i)\\Control\\CI")
))
| eval detection_type=case(
EventCode=1, "BCD_Policy_Modification_bcdedit",
EventCode=13, "Sysmon_Registry_CISigning_Modification",
EventCode=4657, "Security_Audit_Registry_CISigning",
true(), "Unknown"
)
| eval testsigning_enabled=if(
EventCode=1 AND match(lower(CommandLine), "testsigning") AND match(lower(CommandLine), "\bset\b") AND match(lower(CommandLine), "\bon\b"),
1, 0
)
| eval integrity_checks_disabled=if(
EventCode=1 AND match(lower(CommandLine), "nointegritychecks") AND match(lower(CommandLine), "\bon\b"),
1, 0
)
| eval hvci_disabled=if(
EventCode=13 AND match(TargetObject, "(?i)HypervisorEnforcedCodeIntegrity") AND match(Details, "(?i)DWORD \(0x0+\)"),
1, 0
)
| eval requiresigned_disabled=if(
EventCode=13 AND match(TargetObject, "(?i)RequireSignedAppInit_DLLs") AND match(Details, "(?i)DWORD \(0x0+\)"),
1, 0
)
| eval severity=case(
integrity_checks_disabled=1, "critical",
testsigning_enabled=1, "high",
hvci_disabled=1, "critical",
requiresigned_disabled=1, "high",
true(), "medium"
)
| table _time, host, User, Image, CommandLine, TargetObject, Details, ParentImage, ParentCommandLine,
detection_type, testsigning_enabled, integrity_checks_disabled, hvci_disabled, requiresigned_disabled, severity
| sort - _timeDetects code signing policy modification via three Sysmon/Security event types: EventCode=1 (Process Create) catches bcdedit enabling TESTSIGNING or disabling integrity checks; EventCode=13 (Registry Value Set) catches direct registry modification of code integrity enforcement keys including HVCI, VBS, and RequireSignedAppInit_DLLs; Security EventCode=4657 (object access auditing) catches the same registry changes through Windows native audit logging. Computed fields flag the specific modification type and assign severity based on the most dangerous changes (nointegritychecks and HVCI disable rated critical).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Kernel developers enabling TESTSIGNING on dedicated driver development workstations
- IT administrators disabling RequireSignedAppInit_DLLs for legacy application compatibility troubleshooting
- Security researchers enabling test signing in isolated sandbox VMs for malware analysis
- OEM imaging or factory provisioning workflows that temporarily configure test signing modes
- Enterprise endpoint agents that legitimately set LoadAppInit_DLLs for their injection mechanism
Other platforms for T1553.006
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable TESTSIGNING Boot Mode via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\bcdedit.exe, CommandLine='bcdedit /set testsigning on'. Security Event ID 4688 (with process command line auditing enabled) with same details. Note: no additional event is generated when TESTSIGNING takes effect at next reboot — the bcdedit process event is the only log entry.
- Test 2Disable Driver Signature Enforcement via nointegritychecks
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe and CommandLine containing 'nointegritychecks on'. Security Event ID 4688 if process command line auditing is enabled. Microsoft-Windows-Kernel-Boot/Operational Event ID 16 will show the changed boot configuration at next boot cycle.
- Test 3Disable RequireSignedAppInit_DLLs via Registry
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject='HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\RequireSignedAppInit_DLLs', Details='DWORD (0x00000000)'. Sysmon Event ID 1: Process Create for reg.exe with full command line. Security Event ID 4657 if object access auditing is configured for registry keys.
- Test 4Disable Hypervisor-Protected Code Integrity (HVCI) via Registry
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'DeviceGuard\HypervisorEnforcedCodeIntegrity', Details='DWORD (0x00000000)'. Sysmon Event ID 1 for reg.exe process. Security Event ID 4657 (if object access auditing enabled). At next reboot: Windows Event Log Microsoft-Windows-DeviceGuard/Operational will show HVCI enforcement status change.
- Test 5macOS System Integrity Protection Status Check and Disable Simulation
Expected signal: macOS Unified Log (ULS): process execution of csrutil with 'disable' argument. EDR telemetry (if macOS endpoint agent deployed): process creation event for /usr/bin/csrutil with arguments 'disable'. The command will fail with 'csrutil: failed to modify system integrity configuration. This tool needs to be executed from Recovery OS.' which itself is a detectable signal.
References (13)
- https://attack.mitre.org/techniques/T1553/006/
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test
- https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
- https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
- https://web.archive.org/web/20210920172620/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
- https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- https://github.com/hfiref0x/TDL
- https://www.loldrivers.io/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.006/T1553.006.md
- https://github.com/SigmaHQ/sigma/search?q=testsigning
- https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
- https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-supply-chain-attack-capabilities.html
Unlock Pro Content
Get the full detection package for T1553.006 including response playbook, investigation guide, and atomic red team tests.