DET0523: Detect Code Signing Policy Modification (Windows & macOS)
This detection strategy matters because changes to code signing policy can weaken a core trust control: whether Windows or macOS systems are allowed to run...
Analyst context for executives and security teams
This detection strategy matters because changes to code signing policy can weaken a core trust control: whether Windows or macOS systems are allowed to run only trusted, signed code. If that policy is modified, defenders may lose an important barrier against unsigned or self-signed software, making incident response and control assurance harder.
Executive priority
Treat this as a control-integrity and resilience issue, not just an endpoint alert. Leaders should ask whether the organization can prove that code signing enforcement settings on Windows and macOS are monitored, changes are authorized, and exceptions are reviewed. This is relevant to audit evidence, endpoint hardening, incident containment decisions, and prioritizing controls that prevent defense impairment.
Technical view
DET0523 is a detection strategy for behavior related to ATT&CK T1553.006, Code Signing Policy Modification, under the defense-impairment tactic. SOC and detection teams should validate visibility into policy, configuration, and security-control changes that affect code signing enforcement on Windows and macOS. Because the supplied ATT&CK object does not include official detection logic, teams should map this strategy to locally available telemetry and authorized administration workflows.
Likely telemetry
- Endpoint configuration and policy change logs related to code signing enforcement
- Operating system security logs from Windows and macOS endpoints
- Endpoint detection and response events showing security control or trust policy modification
- Administrative activity records for users or tools allowed to change endpoint security policy
- Change-management records for approved code signing policy exceptions or enforcement changes
Detection direction
- Baseline expected code signing policy states for Windows and macOS and alert on unauthorized drift.
- Correlate policy modification events with administrator identity, host role, change ticket, and maintenance window to reduce false positives.
- Prioritize changes that weaken enforcement, allow unsigned code, or introduce self-signed code paths, consistent with the related technique description.
- Tune carefully for legitimate endpoint management, software deployment, driver management, or macOS administration activity.
- Validate that telemetry is collected from endpoints where code signing controls are expected to provide assurance; lack of collection is a key blind spot.
Mitigation priorities
- Define and document approved code signing enforcement standards for Windows and macOS systems.
- Restrict who can modify endpoint trust, signing, or security enforcement policy.
- Require change approval and evidence retention for code signing policy exceptions.
- Monitor for configuration drift and investigate unauthorized weakening of signing enforcement.
- Include code signing policy state in incident response triage when defense impairment is suspected.
Analyst notes and limits
The ATT&CK detection strategy object is sparse: it provides the name, external reference, and relationship to T1553.006, but no official description, detection text, platforms, or tactics directly on the detection strategy. The practical guidance above is derived from the supplied relationship to Code Signing Policy Modification and its Windows/macOS platform context.
This take does not assert active exploitation, actor use, specific products, or guaranteed detection coverage. Local operating system version, endpoint management design, logging configuration, and change-control practices determine what can actually be detected.
Detect Code Signing Policy Modification (Windows & macOS)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553.006 | Code Signing Policy Modification Sub-technique | This object detects Code Signing Policy Modification. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a7f81e40aa9f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0523Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.