T1036.001 Invalid Code Signature Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceFileCertificateInfo
| where Timestamp > ago(24h)
| where IsRootSignerMicrosoft == false or SignatureState != "Valid"
| where isnotempty(Signer)
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where isnotempty(SHA1)
) on $left.SHA1 == $right.SHA1
| where SignatureState in ("Invalid", "Untrusted", "Expired", "Revoked")
| project Timestamp, DeviceName, FileName, FolderPath, Signer, SignatureState, IsTrusted,
         ProcessCommandLine, InitiatingProcessFileName, AccountName
| sort by Timestamp desc

medium severity medium confidence

Data Sources

File: File Metadata Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileCertificateInfo DeviceProcessEvents

False Positives

Expired certificates on legitimate but outdated software that has not been updated
Self-signed certificates used by internal development or testing tools
Legitimate software with misconfigured or incomplete signing (common in some open-source tools)
Revoked certificates that were legitimately used before revocation and may still be in software repos

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
| where SignatureStatus!="Valid"
| where isnotnull(Signature) AND Signature!="?"
| eval SignedButInvalid=if(SignatureStatus IN ("Invalid", "Expired", "Revoked", "Untrusted"), 1, 0)
| where SignedButInvalid=1
| stats count as Executions, values(SignatureStatus) as SigStatus, dc(host) as Hosts by Image, Signature, Signed
| where Executions < 10
| sort - Executions

medium severity medium confidence

Data Sources

File: File Metadata Module: Module Load Sysmon Event ID 7

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Expired certificates on legitimate but outdated software that has not been updated
Self-signed certificates used by internal development or testing tools
Legitimate software with misconfigured or incomplete signing (common in some open-source tools)

Elastic Security (EQL)

eql

sequence by process.entity_id
  [library where process.code_signature.status != "trusted" and
   process.code_signature.exists == true and
   process.code_signature.status in ("error", "expired", "revoked", "untrusted") and
   process.code_signature.subject_name != null and
   process.code_signature.subject_name != ""
  ]
  [process where event.type == "start" and
   process.code_signature.exists == true and
   process.code_signature.status != "trusted" and
   process.code_signature.status in ("error", "expired", "revoked", "untrusted") and
   not process.name in ("MicrosoftEdgeUpdate.exe", "MsiExec.exe")
  ]

high severity high confidence

Data Sources

Elastic Endpoint Elastic Agent (endpoint integration) Sysmon via Beats

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.process-*

False Positives

Expired signing certificates on legacy internal tooling or build artifacts not yet re-signed after certificate renewal
Self-signed development binaries deployed to production endpoints during CI/CD pipeline testing
Third-party vendor software with revoked certificates that have not yet been updated or patched by the vendor

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
       sourceip,
       "hostname",
       username,
       "filename",
       "filepath",
       QIDNAME(qid) AS EventName,
       "SignatureStatus",
       "Signer",
       "CommandLine"
FROM events
WHERE LOGSOURCETYPEID IN (65, 1263)
  AND QIDNAME(qid) LIKE '%Image Load%'
  AND "SignatureStatus" IS NOT NULL
  AND "SignatureStatus" NOT LIKE 'Valid'
  AND "SignatureStatus" IN ('Invalid', 'Expired', 'Revoked', 'Untrusted')
  AND "Signer" IS NOT NULL
  AND "Signer" NOT LIKE ''
  AND starttime > (NOW() - 86400000)
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (via QRadar DSM) Windows Security Event Log (via QRadar DSM)

Required Tables

events

False Positives

Internal proprietary software signed with an enterprise certificate that has since expired and is pending renewal through PKI team
Security tools or EDR agents that load drivers or libraries with self-signed or test-mode signatures during installation
Antivirus quarantine handlers or sandboxing tools that intentionally load and analyze binaries with known-bad signature states

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=OS/Windows/Sysmon
| where EventID = "7"
| json field=_raw "SignatureStatus", "Signature", "Signed", "Image", "Computer", "User", "CommandLine" nodrop
| where !isNull(Signature) AND Signature != "?" AND Signature != ""
| where SignatureStatus in ("Invalid", "Expired", "Revoked", "Untrusted")
| eval SignedButInvalid = if(SignatureStatus in ("Invalid", "Expired", "Revoked", "Untrusted"), 1, 0)
| where SignedButInvalid = 1
| stats count as Executions, values(SignatureStatus) as SigStatus, dcount(Computer) as Hosts by Image, Signature, Signed
| where Executions < 10
| sort by Executions desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Source (Sysmon) Sumo Logic Cloud-to-Cloud Windows Event Log source

Required Tables

_sourceCategory=windows/sysmon

False Positives

Beta or release candidate builds from legitimate vendors that are shipped with pre-production or test code signatures not yet validated by the CA
Forensic investigation tools or incident response utilities that carry expired signatures from the vendor due to infrequent update cycles
Dual-use security research tools (e.g., Sysinternals variants or custom audit tools) distributed informally within the organization without re-signing

Google Chronicle / SecOps

yaral

rule invalid_code_signature_t1036_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects process execution or image load events where a code signature is present but in an invalid, expired, revoked, or untrusted state, indicating potential T1036.001 masquerading activity."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.001"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1036/001/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.authenticode_hash.sha256 != ""
    $e.target.process.file.pe.signature_present = true
    $e.target.process.file.pe.is_signed = true
    (
      $e.target.process.file.pe.signature_type = "INVALID" or
      $e.target.process.file.pe.signature_type = "EXPIRED" or
      $e.target.process.file.pe.signature_type = "REVOKED" or
      $e.target.process.file.pe.signature_type = "UNTRUSTED"
    )
    $e.target.process.file.pe.issuer != ""
    not $e.principal.hostname = ""

    $host = $e.principal.hostname
    $image = $e.target.process.file.full_path
    $signer = $e.target.process.file.pe.issuer
    $sigstate = $e.target.process.file.pe.signature_type

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM (via Windows Sysmon Forwarder) Chronicle UDM (via Microsoft Defender for Endpoint ingestion) Chronicle UDM (via CrowdStrike Falcon ingestion)

Required Tables

PROCESS_LAUNCH UDM events with PE metadata

False Positives

Enterprise internal applications signed with a corporate root CA certificate that is not trusted by the global CA store used for validation in the UDM enrichment pipeline
Legitimate software distributed via internal package management (e.g., Chocolatey, SCCM) where certificate expiry predates the detection window
Penetration testing tools or red team frameworks intentionally loaded with test or self-signed certificates as part of authorized security exercises

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2"
| ImageFileName = /./
| SignInfoFlags != "0"
| SignInfoFlags = /(?:invalid|expired|revoked|untrusted)/i
OR (
  #event_simpleName = "ClassifiedModuleLoad"
  | SignInfoFlags != "0"
  | ImageFileName != ""
  | SignInfoFlags = /(?:invalid|expired|revoked)/i
)
| groupBy([ComputerName, ImageFileName, SignInfoFlags, SHA256HashData], function=[
    count(aid, as=ExecutionCount),
    collectDistinct(UserName, as=Users),
    collectDistinct(CommandLine, as=CommandLines)
  ])
| ExecutionCount < 10
| sort(ExecutionCount, order=asc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (via Humio/LogScale ingestion) CrowdStrike Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2 SyntheticProcessRollup2 ClassifiedModuleLoad

False Positives

CrowdStrike's own sensor update packages or temporary extraction artifacts that are loaded transiently and carry internal test signatures
Legacy administrative scripts or tooling deployed via GPO that reference binaries signed with enterprise certificates not present in the Falcon trust chain
Software packaging tools (e.g., NSIS, Inno Setup installers) that wrap signed contents inside an outer installer binary whose signature has separately expired

Invalid Code Signature

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections