DET0619 Detection of Code Signing Policy Modification
| Item | Value |
|---|---|
| ID | DET0619 |
| Version | 1.0 |
| Created | 21 October 2025 |
| Last Modified | 21 October 2025 |
Technique Detected: T1632.001 (Code Signing Policy Modification)
Analytics
Android
AN1679
On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.
On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.
Log Sources
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | User Interface | None |
Mutable Elements
| Field | Description |
|---|---|
iOS
AN1680
On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.
On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.
Log Sources
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | User Interface | None |
Mutable Elements
| Field | Description |
|---|---|