Execution of binaries with invalid digital signatures, where metadata claims code is signed but validation fails. Behavior is often correlated with suspicious parent processes or unexpected execution paths.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Metadata (DC0059) | WinEventLog:Windows Defender | Operational log |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| SignatureValidationResult | Allow tuning to include 'invalid', 'expired', or 'untrusted root' based on environment tolerance |
| ParentProcessName | Helps tune false positives by limiting to suspicious parent process executions |
| TimeWindow | Defines correlation window between metadata check and process execution |
Binaries or applications executed with tampered or unverifiable code signatures. Often tied to Gatekeeper bypasses, App Translocation, or use of unsigned launch daemons by untrusted users.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | subsystem:syspolicyd |
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC |
| File Modification (DC0061) | fs:fileevents | /var/log/install.log |
| Field | Description |
|---|---|
| CodeSigningStatus | Filters such as 'Unsigned', 'NotTrusted', or 'ModifiedSinceSigning' may vary by policy enforcement level |
| UserContext | Tune whether detection applies to all users or excludes trusted admin accounts |
| ExecutablePathPrefix | Enable tuning for known valid locations (e.g., /Applications) vs. suspicious paths (/Users/Shared) |