Masquerading: Invalid Code Signature

Created the Friday 10 February 2023. Updated 6 months, 2 weeks ago.

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.

Unlike Code Signing, this activity will not result in a valid signature.

Technique Identifier

T1036.001

Technique Tags

Defense Evasion Impersonating valid code signatures APT37 invalid code signatures invalid digital certificates unverified signatures fake certificates revoked certificates

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Masquerading: Invalid Code Signature, Sub-technique T1036.001 - Enterprise | MITRE ATT&CK®