Code Signing Policy Modification Through Built-in tools

Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/01/31"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/10"
  6min_stack_version = "8.13.0"
  7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  8
  9[transform]
 10[[transform.osquery]]
 11label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link"
 12query = """
 13SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
 14issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
 15authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1")
 16"""
 17
 18[[transform.osquery]]
 19label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link"
 20query = """
 21SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
 22issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
 23authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0"
 24"""
 25
 26
 27[rule]
 28author = ["Elastic"]
 29description = """
 30Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides
 31authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By
 32allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.
 33"""
 34from = "now-9m"
 35index = [
 36    "winlogbeat-*",
 37    "logs-endpoint.events.process-*",
 38    "logs-windows.forwarded*",
 39    "logs-windows.sysmon_operational-*",
 40    "endgame-*",
 41    "logs-system.security*",
 42    "logs-m365_defender.event-*",
 43    "logs-sentinel_one_cloud_funnel.*",
 44]
 45language = "eql"
 46license = "Elastic License v2"
 47name = "Code Signing Policy Modification Through Built-in tools"
 48note = """## Triage and analysis
 49
 50### Investigating Code Signing Policy Modification Through Built-in tools
 51
 52Windows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.
 53
 54This protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.
 55
 56This rule identifies commands that can disable the Driver Signature Enforcement feature.
 57
 58> **Note**:
 59> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
 60
 61#### Possible investigation steps
 62
 63- Identify the user account that performed the action and whether it should perform this kind of action.
 64- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 65- Investigate other alerts associated with the user/host during the past 48 hours.
 66- Use Osquery and endpoint driver events (`event.category = "driver"`) to investigate if suspicious drivers were loaded into the system after the command was executed.
 67  - $osquery_0
 68  - $osquery_1
 69- Identify the driver's `Device Name` and `Service Name`.
 70- Check for alerts from the rules specified in the `Related Rules` section.
 71
 72### False positive analysis
 73
 74- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.
 75
 76### Related Rules
 77
 78- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9
 79- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa
 80- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd
 81
 82### Response and remediation
 83
 84- Initiate the incident response process based on the outcome of the triage.
 85- Isolate the involved host to prevent further post-compromise behavior.
 86- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)
 87- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.
 88  - This can be done via PowerShell `Remove-Service` cmdlet.
 89- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
 90- Remove and block malicious artifacts identified during triage.
 91- Ensure that the Driver Signature Enforcement is enabled on the system.
 92- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
 93- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 94- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 95"""
 96risk_score = 47
 97rule_id = "b43570de-a908-4f7f-8bdb-b2df6ffd8c80"
 98severity = "medium"
 99tags = [
100    "Domain: Endpoint",
101    "OS: Windows",
102    "Use Case: Threat Detection",
103    "Tactic: Defense Evasion",
104    "Data Source: Elastic Endgame",
105    "Resources: Investigation Guide",
106    "Data Source: Elastic Defend",
107    "Data Source: System",
108    "Data Source: Microsoft Defender for Endpoint",
109    "Data Source: Sysmon",
110    "Data Source: SentinelOne",
111]
112timestamp_override = "event.ingested"
113type = "eql"
114
115query = '''
116process where host.os.type == "windows" and event.type == "start" and
117  (process.name: "bcdedit.exe" or ?process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and 
118  process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS")
119'''
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1553"
126name = "Subvert Trust Controls"
127reference = "https://attack.mitre.org/techniques/T1553/"
128[[rule.threat.technique.subtechnique]]
129id = "T1553.006"
130name = "Code Signing Policy Modification"
131reference = "https://attack.mitre.org/techniques/T1553/006/"
132
133
134
135[rule.threat.tactic]
136id = "TA0005"
137name = "Defense Evasion"
138reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Investigating Code Signing Policy Modification Through Built-in tools

Windows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.

This protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.

This rule identifies commands that can disable the Driver Signature Enforcement feature.

Note: This investigation guide uses the Osquery Markdown Plugin introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.

Possible investigation steps

  • Identify the user account that performed the action and whether it should perform this kind of action.
  • Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
  • Investigate other alerts associated with the user/host during the past 48 hours.
  • Use Osquery and endpoint driver events (event.category = "driver") to investigate if suspicious drivers were loaded into the system after the command was executed.
    • $osquery_0
    • $osquery_1
  • Identify the driver's Device Name and Service Name.
  • Check for alerts from the rules specified in the Related Rules section.

False positive analysis

  • This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.
  • First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9
  • Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa
  • Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Isolate the involved host to prevent further post-compromise behavior.
  • Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)
  • Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.
    • This can be done via PowerShell Remove-Service cmdlet.
  • Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
  • Remove and block malicious artifacts identified during triage.
  • Ensure that the Driver Signature Enforcement is enabled on the system.
  • Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
  • Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

Related rules

to-top