title: Code Signing Policy Modification (T1553.006)
id: df00tech-t1553-006
status: experimental
description: "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. On Windows, this includes enabling TESTSIGNING boot mode via bcdedit.exe, disabling Driver Signature Enforcement (DSE) by modifying the g_CiOptions kernel variable (typically via a BYOVD exploit), or changing registry keys that control signed DLL enforcement such as RequireSignedAppInit_DLLs. On macOS, adversaries disable System Integrity Protection (SIP) using csrutil disable from Recovery Mode. Threat actors including APT39, BlackEnergy, Hikit, Pandora, and Turla have used these techniques to load unsigned rootkit drivers and persist with kernel-level access."
references:
  - https://attack.mitre.org/techniques/T1553/006/
  - https://df00tech.com/detections/T1553.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1553.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Kernel developers and driver developers legitimately enabling TESTSIGNING on dedicated test machines to load unsigned development drivers during the development and testing lifecycle
  - IT administrators temporarily disabling RequireSignedAppInit_DLLs to diagnose application compatibility issues with legacy software
  - Security researchers or malware analysts enabling test signing on sandboxed VMs to study unsigned samples in a controlled environment
  - Hardware OEM imaging processes that configure test signing during factory provisioning or QA testing before shipping
  - "Enterprise software products (some legacy DLP, endpoint agents) that set LoadAppInit_DLLs as part of their legitimate injection mechanism"
level: critical