DET0523 Detect Code Signing Policy Modification (Windows & macOS)

Item	Value
ID	DET0523
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1553.006 (Code Signing Policy Modification)

Analytics

Windows

AN1446

Monitors execution of administrative utilities (e.g., bcdedit.exe) or registry modifications that disable Driver Signature Enforcement (DSE) or enable Test Signing. Correlates command-line activity, registry changes, and subsequent process executions that bypass signing enforcement.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657

Mutable Elements

Field	Description
MonitoredExecutables	Expand or restrict monitored utilities (e.g., bcdedit.exe, reg.exe) based on enterprise usage
RegistryPaths	Customize registry paths tied to Driver Signing enforcement depending on OS version
TimeWindow	Correlation window between registry modification and subsequent unsigned binary execution

macOS

AN1447

Detects modification of System Integrity Protection (SIP) or code signing enforcement policies through csrutil or kernel variable tampering. Correlates execution of csrutil disable commands with subsequent policy state changes and anomalous unsigned process executions.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	csrutil disable
Windows Registry Key Modification (DC0063)	macos:unifiedlog	g_CiOptions modification or SIP state change
Process Creation (DC0032)	macos:unifiedlog	Unsigned binary execution following SIP change

Mutable Elements

Field	Description
PolicyPaths	Track configuration files and kernel extensions tied to SIP enforcement
AllowedUsers	Restrict or expand which privileged accounts are monitored for SIP/CSRUTIL changes
TimeWindow	Define correlation between csrutil execution and unsigned process activity