false positives may be present in some instances of legitimate binaries with invalid signatures. filter as needed.

t1553.003
endpoint
splunk

Techniques

T1553.003

Sample rules

Windows SIP WinVerifyTrust Failed Trust Validation

source: splunk
technicques:
- T1553.003

Description

The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is “The digital signature of the object did not verify.” STRT tested this analytic using Mimikatz binary.

Detection logic

`capi2_operational` EventID=81 "The digital signature of the object did not verify." 
| xmlkv UserData_Xml 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml 
| rename Computer as dest 
| `windows_sip_winverifytrust_failed_trust_validation_filter`