Detects execution of binaries signed with unusual or recently issued certificates, correlation of process execution with abnormal publisher metadata, and mismatched certificate chains. Monitors for revoked or unknown code signing certificates used in high-privilege contexts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| AllowedCertificateAuthorities | Define trusted issuers to suppress noise from legitimate enterprise signing chains |
| TimeWindow | Correlation window for detecting execution of binaries with newly observed or anomalous certificates |
| CertificateAgeThreshold | Baseline normal age of certificates; flag very recent or expired certificates |
Monitors Gatekeeper, spctl, and unified log entries for binaries executed with unexpected or untrusted signatures. Correlates file metadata changes with process launches where signature validation is skipped, altered, or fails but the process still executes.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | Code signing verification failures or bypassed trust decisions |
| Process Creation (DC0032) | macos:unifiedlog | Execution of binaries with unsigned or anomalously signed certificates |
| Field | Description |
|---|---|
| DeveloperIDAllowList | Maintain list of expected Developer IDs to minimize false positives from enterprise apps |
| TimeWindow | Correlates file signature changes with subsequent executions |