Code Signing Policy Modification Through Registry

Attackers can modify the BehaviorOnFailedVerify registry key to disable code signing enforcement, allowing the execution of unsigned or self-signed code. This subverts trust controls and enables attackers to load and execute malicious drivers or other executables without proper validation. The targeted registry value controls how the system behaves when a driver’s signature verification fails, and altering this value can weaken system security. This technique is a common method to bypass security measures that rely on code signing to ensure the integrity and authenticity of software. This activity has been observed across various environments where endpoint detection and response solutions are deployed. The rule identifies registry modifications that can disable DSE.

Attack Chain

1. The attacker gains initial access to the target system through methods such as phishing, exploiting vulnerabilities, or social engineering.
2. The attacker escalates privileges to obtain administrative rights, which are required to modify the registry.
3. The attacker uses a command-line tool, such as reg.exe or PowerShell, to modify the BehaviorOnFailedVerify registry value.
4. The registry value is changed to either “0” or “1”, effectively disabling or weakening code signing enforcement.
5. The attacker loads an unsigned or self-signed malicious driver or executable.
6. The malicious code executes without proper validation, allowing the attacker to perform malicious activities on the system.
7. The attacker may then establish persistence, move laterally within the network, or exfiltrate sensitive data.
8. The final objective could be data theft, ransomware deployment, or establishing a long-term foothold within the compromised environment.

Impact

Successful modification of the code signing policy can lead to the execution of arbitrary code without proper validation, potentially compromising the entire system. Attackers can use this technique to install rootkits, bypass security software, and perform other malicious activities. Depending on the attacker’s objectives, this can result in data theft, system instability, or complete system compromise. While no specific victim count or sector is mentioned, any Windows system where code signing is relied upon for security is potentially at risk.

Recommendation

• Deploy the Sigma rule Code Signing Policy Modification Through Registry to your SIEM to detect suspicious registry modifications (rule.name). Tune the rule to exclude legitimate software installers or system administration tools that may temporarily modify these settings.
• Monitor registry events, specifically changes to the BehaviorOnFailedVerify value, to identify potential attempts to disable code signing policy (event.type, registry.value, registry.data.strings).
• Investigate any alerts generated by the detection rule, focusing on the process execution chain and the legitimacy of the user account performing the action (rule.note).
• Enable Sysmon registry event logging to gain better visibility into registry modifications (setup).
• Ensure that Driver Signature Enforcement (DSE) is enabled on all systems to prevent the loading of unsigned drivers (rule.description).
• Deploy the Sigma rule Suspicious Process Modifying Code Signing Policy Registry to identify potentially malicious processes attempting to disable code signing (rule.name).