MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1553.002: Code Signing

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform.

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-780: Process_Herpaderping_Injection: The use of Herpaderping was detected. Herpaderping is a method of bypassing antivirus and security tools by modifying the content of a file after it has been mapped into memory, but before the first thread is initiated

Detection

IDDS0022Data source and componentFile: File MetadataDescription

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.