LoFP / false positives may be present in some instances of legitimate binaries with invalid signatures. filter as needed.

Techniques

• T1553.003

Sample rules

Windows SIP WinVerifyTrust Failed Trust Validation

• source: splunk
• technicques:
  • T1553.003

Description

The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that “The digital signature of the object did not verify.” This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.

Detection logic

`capi2_operational` EventID=81 "The digital signature of the object did not verify." 
| xmlkv UserData_Xml 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml 
| rename Computer as dest 
| `windows_sip_winverifytrust_failed_trust_validation_filter`