DET0031 Invalid Code Signature Execution Detection via Metadata and Behavioral Context

Item	Value
ID	DET0031
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1036.001 (Invalid Code Signature)

Analytics

Windows

AN0089

Execution of binaries with invalid digital signatures, where metadata claims code is signed but validation fails. Behavior is often correlated with suspicious parent processes or unexpected execution paths.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Metadata (DC0059)	WinEventLog:Windows Defender	Operational log
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106

Mutable Elements

Field	Description
SignatureValidationResult	Allow tuning to include ‘invalid’, ‘expired’, or ‘untrusted root’ based on environment tolerance
ParentProcessName	Helps tune false positives by limiting to suspicious parent process executions
TimeWindow	Defines correlation window between metadata check and process execution

macOS

AN0090

Binaries or applications executed with tampered or unverifiable code signatures. Often tied to Gatekeeper bypasses, App Translocation, or use of unsigned launch daemons by untrusted users.

Log Sources

Data Component	Name	Channel
File Metadata (DC0059)	macos:unifiedlog	subsystem:syspolicyd
Process Creation (DC0032)	macos:endpointsecurity	ES_EVENT_TYPE_NOTIFY_EXEC
File Modification (DC0061)	fs:fileevents	/var/log/install.log

Mutable Elements

Field	Description
CodeSigningStatus	Filters such as ‘Unsigned’, ‘NotTrusted’, or ‘ModifiedSinceSigning’ may vary by policy enforcement level
UserContext	Tune whether detection applies to all users or excludes trusted admin accounts
ExecutablePathPrefix	Enable tuning for known valid locations (e.g., /Applications) vs. suspicious paths (/Users/Shared)