Bypass Record
Code-Signing Abuse × Microsoft Windows Code Integrity
A publicly-reported instance of Code-Signing Abuse bypassing Microsoft Windows Code Integrity, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Signature Kid extracts the digital signature from a legitimate signed PE file and injects it into a malicious file. It then modifies the CryptSIPDllVerifyIndirectData registry key to trick Windows into accepting the spoofed signature as valid. The signed malicious DLL is injected into protected processes using SetWindowsHookEx, bypassing kernel-mode callbacks like ObRegisterCallbacks because the signature appears trusted.
Detection & mitigation
Monitor for modifications to the CryptSIPDllVerifyIndirectData registry key (e.g., under HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData) and use Sysmon Event ID 13 (Registry value set) to alert on changes. Validate digital signatures on loaded DLLs using AppLocker or WDAC policies that enforce signature checks beyond the spoofed registry, and investigate any process loading a DLL whose signature chain does not match a trusted root.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.