DET0230 Detect Suspicious or Malicious Code Signing Abuse
| Item |
Value |
| ID |
DET0230 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1553.002 (Code Signing)
Analytics
Windows
AN0643
Detects execution of binaries signed with unusual or recently issued certificates, correlation of process execution with abnormal publisher metadata, and mismatched certificate chains. Monitors for revoked or unknown code signing certificates used in high-privilege contexts.
Log Sources
Mutable Elements
| Field |
Description |
| AllowedCertificateAuthorities |
Define trusted issuers to suppress noise from legitimate enterprise signing chains |
| TimeWindow |
Correlation window for detecting execution of binaries with newly observed or anomalous certificates |
| CertificateAgeThreshold |
Baseline normal age of certificates; flag very recent or expired certificates |
macOS
AN0644
Monitors Gatekeeper, spctl, and unified log entries for binaries executed with unexpected or untrusted signatures. Correlates file metadata changes with process launches where signature validation is skipped, altered, or fails but the process still executes.
Log Sources
| Data Component |
Name |
Channel |
| File Metadata (DC0059) |
macos:unifiedlog |
Code signing verification failures or bypassed trust decisions |
| Process Creation (DC0032) |
macos:unifiedlog |
Execution of binaries with unsigned or anomalously signed certificates |
Mutable Elements
| Field |
Description |
| DeveloperIDAllowList |
Maintain list of expected Developer IDs to minimize false positives from enterprise apps |
| TimeWindow |
Correlates file signature changes with subsequent executions |