Detection rules › Splunk
Windows SIP WinVerifyTrust Failed Trust Validation
The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that "The digital signature of the object did not verify." This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| CAPI2 | 81 | For more details for this event, please refer to the "Details" section |
Stages and Predicates
Stage 1: search
search EventID=81
Stage 2: xmlkv
xmlkv
Stage 3: stats
stats BY Computer, UserData_Xml
Stage 4: rename
rename
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|