Code Signing Policy Modification Through Built-in Tools

Attackers may attempt to subvert trust controls by disabling or modifying the code signing policy. This allows them to execute unsigned or self-signed malicious code. This can be achieved by modifying boot configuration data (BCD) settings using the built-in bcdedit.exe utility on Windows. Disabling Driver Signature Enforcement (DSE) allows the loading of untrusted drivers, which can compromise system integrity. The rule identifies commands that can disable the Driver Signature Enforcement feature. The scope of the targeting is broad, as it can affect any Windows system where an attacker gains sufficient privileges to modify the BCD settings. This activity is detected by analyzing process execution events for specific command-line arguments used with bcdedit.exe. The detection rule was last updated on 2026-05-04.

Attack Chain

1. The attacker gains administrative privileges on a Windows system.
2. The attacker executes bcdedit.exe with arguments to disable driver signature enforcement. Example: bcdedit.exe /set testsigning on or bcdedit.exe /set nointegritychecks on.
3. The bcdedit.exe modifies the Boot Configuration Data (BCD) store.
4. The system is restarted to apply the changes made to the BCD.
5. The attacker loads an unsigned or self-signed malicious driver.
6. The malicious driver executes with kernel-level privileges.
7. The attacker performs malicious activities such as installing rootkits, bypassing security controls, or stealing sensitive data.
8. The attacker maintains persistence by ensuring the malicious driver is loaded on subsequent system reboots.

Impact

Successful modification of the code signing policy can lead to the execution of unsigned or self-signed malicious code, which can compromise the integrity and security of the system. Attackers can install rootkits, bypass security controls, or steal sensitive data. The impact can range from individual system compromise to broader network-wide attacks, depending on the attacker’s objectives.

Recommendation

• Deploy the Sigma rule “Code Signing Policy Modification Through Built-in Tools” to your SIEM to detect the execution of bcdedit.exe with arguments used to disable code signing (process.args).
• Enable process creation logging with command line arguments on Windows systems to ensure the Sigma rule can capture the relevant events (logsource).
• Investigate any detected instances of code signing policy modification, as this activity is typically not legitimate and can indicate malicious activity. The rule First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9 can be used to detect suspicious drivers loaded into the system after the command was executed.
• Ensure that Driver Signature Enforcement is enabled on all systems.