Subvert Trust Controls: Code Signing

Created the Saturday 04 March 2023. Updated 6 months, 3 weeks ago.

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows systems.

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Technique Identifier

T1553.002

Technique Tags

Defense Evasion falsification of trusted signatures code signing falsifying certificates self signed digital certificates fake certificates valid CA invalid certificates revoked certificates stolen certificates forged certificates APT29 APT41

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Subvert Trust Controls: Code Signing, Sub-technique T1553.002 - Enterprise | MITRE ATT&CK®