T1553.002: Code Signing
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.
Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform.
Code signing certificates may be used to bypass security policies that require signed code to execute on a system.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-780: Process_Herpaderping_Injection: The use of Herpaderping was detected. Herpaderping is a method of bypassing antivirus and security tools by modifying the content of a file after it has been mapped into memory, but before the first thread is initiated
Detection
ID | DS0022 | Data source and component | File: File Metadata | Description | Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. |
---|