IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Code Signing Policy Modification Through Registry
editCode Signing Policy Modification Through Registry
editIdentifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
- endgame-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
- Elastic Endgame
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editregistry where host.os.type == "windows" and event.type : ("creation", "change") and
(
registry.path : "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" and
registry.value: "BehaviorOnFailedVerify" and
registry.data.strings : ("0", "0x00000000", "1", "0x00000001")
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Subvert Trust Controls
- ID: T1553
- Reference URL: https://attack.mitre.org/techniques/T1553/
-
Sub-technique:
- Name: Code Signing Policy Modification
- ID: T1553.006
- Reference URL: https://attack.mitre.org/techniques/T1553/006/