Code Signing Policy Modification Through Registry

edit

Code Signing Policy Modification Through Registry

edit

Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion
  • Elastic Endgame

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
registry where host.os.type == "windows" and event.type : ("creation", "change") and
(
  registry.path : "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" and
  registry.value: "BehaviorOnFailedVerify" and
  registry.data.strings : ("0", "0x00000000", "1", "0x00000001")
)

Framework: MITRE ATT&CKTM