Monitors execution of administrative utilities (e.g., bcdedit.exe) or registry modifications that disable Driver Signature Enforcement (DSE) or enable Test Signing. Correlates command-line activity, registry changes, and subsequent process executions that bypass signing enforcement.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Field | Description |
|---|---|
| MonitoredExecutables | Expand or restrict monitored utilities (e.g., bcdedit.exe, reg.exe) based on enterprise usage |
| RegistryPaths | Customize registry paths tied to Driver Signing enforcement depending on OS version |
| TimeWindow | Correlation window between registry modification and subsequent unsigned binary execution |
Detects modification of System Integrity Protection (SIP) or code signing enforcement policies through csrutil or kernel variable tampering. Correlates execution of csrutil disable commands with subsequent policy state changes and anomalous unsigned process executions.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | csrutil disable |
| Windows Registry Key Modification (DC0063) | macos:unifiedlog | g_CiOptions modification or SIP state change |
| Process Creation (DC0032) | macos:unifiedlog | Unsigned binary execution following SIP change |
| Field | Description |
|---|---|
| PolicyPaths | Track configuration files and kernel extensions tied to SIP enforcement |
| AllowedUsers | Restrict or expand which privileged accounts are monitored for SIP/CSRUTIL changes |
| TimeWindow | Define correlation between csrutil execution and unsigned process activity |