Code Signing
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. Code signing certificates may be used to bypass security policies that require signed code to execute on a system.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.
Observed actors
G0093Kimsuky
G0094Patchwork
G0040APT41
G0096menuPass
G0045FIN6
G0037FIN7
G0046Scattered Spider
G1015Moses Staff
G1009Suckfly
G0039Saint Bear
G1031Leviathan
G0065TA505
G0092APT29
G0016Darkhotel
G0012Ember Bear
G1003LuminousMoth
G1014Winnti Group
G0044Lazarus Group
G0032Silence
G0091CopyKittens
G0052Wizard Spider
G0102Molerats
G0021PROMETHIUM
G0056Daggerfly
G1034